[jira] [Resolved] (DRILL-6906) File permissions are not being honored

[Kunal Khatua (JIRA)]

     [ 
https://issues.apache.org/jira/browse/DRILL-6906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kunal Khatua resolved DRILL-6906.
---------------------------------
    Resolution: Workaround

> File permissions are not being honored
> --------------------------------------
>
>                 Key: DRILL-6906
>                 URL: https://issues.apache.org/jira/browse/DRILL-6906
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Client - JDBC, Client - ODBC
>    Affects Versions: 1.15.0
>            Reporter: Robert Hou
>            Assignee: Kunal Khatua
>            Priority: Major
>             Fix For: 1.16.0
>
>
> I ran sqlline with user "kuser1".
> {noformat}
> /opt/mapr/drill/drill-1.15.0.apache/bin/sqlline -u 
> "jdbc:drill:drillbit=10.10.30.206" -n kuser1 -p mapr
> {noformat}
> I tried to access a file that is only accessible by root:
> {noformat}
> [root@perfnode206 drill-test-framework_krystal]# hf -ls 
> /drill/testdata/impersonation/neg_tc5/student
> -rwx------   3 root root      64612 2018-06-19 10:30 
> /drill/testdata/impersonation/neg_tc5/student
> {noformat}
> I am able to read the table, which should not be possible.  I used this 
> commit for Drill 1.15.
> {noformat}
> git.commit.id=bf2b414ac62cfc515fdd77f2688bb110073d764d
> git.commit.message.full=DRILL-6866\: Upgrade to SqlLine 1.6.0\n\n1. Changed 
> SqlLine version to 1.6.0.\n2. Overridden new getVersion method in 
> DrillSqlLineApplication.\n3. Set maxColumnWidth to 80 to avoid issue 
> described in DRILL-6769.\n4. Changed colorScheme to obsidian.\n5. Output null 
> value for varchar / char / boolean types as null instead of empty string.\n6. 
> Changed access modifier from package default to public for JDBC classes that 
> implement external interfaces to avoid issues when calling methods from these 
> classes using reflection.\n\ncloses \#1556
> {noformat}
> This is from drillbit.log.  It shows that user is kuser1.
> {noformat}
> 2018-12-15 05:00:52,516 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] DEBUG 
> o.a.d.e.w.f.QueryStateProcessor - 23eb04fb-1701-bea7-dd97-ecda58795b3b: State 
> change requested PREPARING --> PLANNING
> 2018-12-15 05:00:52,531 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] INFO  
> o.a.drill.exec.work.foreman.Foreman - Query text for query with id 
> 23eb04fb-1701-bea7-dd97-ecda58795b3b issued by kuser1: select * from 
> dfs.`/drill/testdata/impersonation/neg_tc5/student`
> {noformat}
> It is not clear to me if this is a Drill problem or a file system problem.  I 
> tested MFS by logging in as kuser1 and trying to copy the file using "hadoop 
> fs -copyToLocal /drill/testdata/impersonation/neg_tc5/student" and got an 
> error, and was not able to copy the file.  So I think MFS permissions are 
> working.
> I also tried with Drill 1.14, and I get the expected error:
> {noformat}
> 0: jdbc:drill:drillbit=10.10.30.206> select * from 
> dfs.`/drill/testdata/impersonation/neg_tc5/student` limit 1;
> Error: VALIDATION ERROR: From line 1, column 15 to line 1, column 17: Object 
> '/drill/testdata/impersonation/neg_tc5/student' not found within 'dfs'
> [Error Id: cdf18c2a-b005-4f92-b819-d4324e8807d9 on 
> perfnode206.perf.lab:31010] (state=,code=0)
> {noformat}
> The commit for Drill 1.14 is:
> {noformat}
> git.commit.message.full=[maven-release-plugin] prepare release drill-1.14.0\n
> git.commit.id=0508a128853ce796ca7e99e13008e49442f83147
> {noformat}
> This problem exists with both Apache JDBC and Simba ODBC.
> Here is drill-distrib.conf.  drill-override.conf is empty.  It is the same 
> for both 1.14 and 1.15.
> {noformat}
> drill.exec: {
>   cluster-id: "secure206-drillbits",
>   zk.connect: 
> "perfnode206.perf.lab:5181,perfnode207.perf.lab:5181,perfnode208.perf.lab:5181",
>   rpc.user.client.threads: "4",
>   options.store.parquet.block-size: "268435456",
>   sys.store.provider.zk.blobroot: "maprfs:///apps/drill",
>   spill.directories: [ "/tmp/drill/spill" ],
>   spill.fs: "maprfs:///",
>   storage.action_on_plugins_override_file: "rename"
>   zk.apply_secure_acl: true,
>   impersonation.enabled: true,
>   impersonation.max_chained_user_hops: 3,
>   options.exec.impersonation.inbound_policies: 
> "[{proxy_principals:{users:[\"mapr\"]},target_principals:{users:[\"*\"]}}]",
>   security.auth.mechanisms: ["PLAIN", "KERBEROS"],
>   security.auth.principal : "mapr/maprs...@qa.lab",
>   security.auth.keytab : "/etc/drill/mapr_maprsasl.keytab",
>   security.user.auth.enabled: true,
>   security.user.auth.packages += "org.apache.drill.exec.rpc.user.security",
>   security.user.auth.impl: "pam4j",
>   security.user.auth.pam_profiles: ["sudo", "login"],
>   http.ssl_enabled: true,
>   ssl.useHadoopConfig: true,
>   http.auth.mechanisms: ["FORM", "SPNEGO"],
>   http.auth.spnego.principal: "HTTP/perfnode206.perf....@qa.lab",
>   http.auth.spnego.keytab: "/etc/drill_spnego/perfnode206.keytab"
> }
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)