Terence Namusonge Sifuna created DRILL-7296: -----------------------------------------------
Summary: No way to limit kerberos access to a particular group Key: DRILL-7296 URL: https://issues.apache.org/jira/browse/DRILL-7296 Project: Apache Drill Issue Type: Bug Components: Server Affects Versions: 1.16.0 Environment: drill version 1.16 drill host ubuntu 1804 kerberos: FreeIPA (hbac rules) Reporter: Terence Namusonge Sifuna Currently there is no way to limit drill user access to a particular LDAP group when kerberos is used for authentication.Its not an issue with PAM as it supports sssd which knows how to do this. So the sum effect is that any valid kerberos user can access drill while typically access would be limited to particular groups. So to test I have a kerberos enviroment with freeIPA and set up with a user tuser2 who has no host access on the drill server (hbac rule). Access is denied when I try and connect using sqlLine using user/password credentials ( correct) but access it granted if I connect with an acquired TGT ticket then access is granted ( wrong) -- This message was sent by Atlassian JIRA (v7.6.3#76005)