Terence Namusonge Sifuna created DRILL-7296:
-----------------------------------------------
Summary: No way to limit kerberos access to a particular group
Key: DRILL-7296
URL: https://issues.apache.org/jira/browse/DRILL-7296
Project: Apache Drill
Issue Type: Bug
Components: Server
Affects Versions: 1.16.0
Environment: drill version 1.16
drill host ubuntu 1804
kerberos: FreeIPA (hbac rules)
Reporter: Terence Namusonge Sifuna
Currently there is no way to limit drill user access to a particular LDAP group
when kerberos is used for authentication.Its not an issue with PAM as it
supports sssd which knows how to do this.
So the sum effect is that any valid kerberos user can access drill while
typically access would be limited to particular groups. So to test I have a
kerberos enviroment with freeIPA and set up with a user tuser2 who has no host
access on the drill server (hbac rule).
Access is denied when I try and connect using sqlLine using user/password
credentials ( correct) but access it granted if I connect with an acquired TGT
ticket then access is granted ( wrong)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
