[jira] [Commented] (DRILL-7475) Impersonation on local file system

Tue, 10 Dec 2019 04:36:34 -0800 


    [ 
https://issues.apache.org/jira/browse/DRILL-7475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16992505#comment-16992505
 ] 

Anton Gozhiy commented on DRILL-7475:
-------------------------------------

[~kstyrc], It would be very helpful, if you describe the issue according to the 
common bug reporting standards:
 * Environment / Initial Conditions
 * Steps To Reproduce
 * Expected Result
 * Actual Result
 * Additional Information / Notes (if any)

 

> Impersonation on local file system
> ----------------------------------
>
>                 Key: DRILL-7475
>                 URL: https://issues.apache.org/jira/browse/DRILL-7475
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Krzysztof Styrc
>            Priority: Minor
>
> Hi,
> we'd like to setup Drill to as SQL interface for files stored on local file 
> system (non HDFS) with multi user access - each user/group authorized to 
> access only selected tables/views.
>  
> In order to achieve this we've configured Drill with plain PAM authentication 
> + impersonation following the docs:
> [https://drill.apache.org/docs/configuring-plain-security/]
> [https://drill.apache.org/docs/configuring-user-impersonation/]
> We've ended up with the following ```drill-override.conf``` config:
> {code:java}
> drill.exec: {
>   cluster-id: "unit8drill",
>   zk.connect: "localhost:2181",
>   impersonation: {
>     enabled: true,
>   },
>   security: {
>     auth.mechanisms : ["PLAIN"],
>   },
>   security.user.auth: {
>     enabled: true,
>     packages += "org.apache.drill.exec.rpc.user.security",
>     impl: "pam4j",
>     pam_profiles: [ "sudo", "login" ],
>   }
> }
> {code}
> The Drill process runs as root in order to have access to ```/etc/shadow``` 
> etc.
>  
> Authentication works fine. We're able to use sqlline as well as Web UI in 
> order to run SQL queries. Also, users that are in the root group have access 
> to Storage, Threads and Logs tabs.
>  
> Unfortunately, all the users have access to all tables/directories/views, 
> regardless of the permissions set on the local file system. Furthermore, 
> inspecting the Drill process with auditctl reveals that the Drill process 
> user (root) is accessing the files instead of impersonating user as one would 
> expect while using impersonation.
>  
> Attaching with java debugger also reveals that even though it's local file 
> system, Drill uses ```ProxyLocalFileSystem``` from hive-exec JAR in 
> ```ImpersonationUtil.createFileSystem(...)```.
>  
> The question is, does Drill support RBAC on local file system? If so, what 
> could we be doing wrong?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to