[
https://issues.apache.org/jira/browse/DRILL-7296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16896191#comment-16896191
]
Terence Namusonge Sifuna commented on DRILL-7296:
-------------------------------------------------
More like a GSSAPI workflow. Way to go about would be then to enable User
Impersonation which will call on PAM to check access and your sorted (for file
system plugins certainly)
> Kerberos Authorisation
> ----------------------
>
> Key: DRILL-7296
> URL: https://issues.apache.org/jira/browse/DRILL-7296
> Project: Apache Drill
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.16.0
> Environment: drill version 1.16
> drill host ubuntu 1804
> kerberos: FreeIPA (hbac rules)
> Reporter: Terence Namusonge Sifuna
> Priority: Major
>
> Currently there is no way to limit drill user access to a particular LDAP
> group when kerberos is used for authentication.Its not an issue with PAM as
> it supports sssd which knows how to do this.
> So the sum effect is that any valid kerberos user can access drill while
> typically access would be limited to particular groups. So to test I have a
> kerberos enviroment with freeIPA and set up with a user tuser2 who has no
> host access on the drill server (hbac rule).
> Access is denied when I try and connect using sqlLine using user/password
> credentials ( correct) but access it granted if I connect with an acquired
> TGT ticket then access is granted ( wrong)
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
