Great explanation, Ted. I think I will still open the ticket, if nothing
else to address the gaps in documentation.
Thanks,
Scott
On Fri, Jul 1, 2016 at 2:30 PM, Ted Dunning <ted.dunn...@gmail.com> wrote:
> You can certainly open a ticket for this.
>
> The problem is resolving the ticket.
>
> Impersonation explicitly depends on some of the functionality available
> with certain distributed file systems like MapR FS and HDFS. This allows a
> drill bit to just do file system level impersonation based on possession of
> a crypto certificate.
>
> Doing the same thing for a local file system requires the ability to
> actually change the effective user id of the process doing the access. That
> can be done, but allowing that level of power to an application process is
> pretty terrifying to security admins. It also is typically implemented
> using a separation of powers style which would require that an entire
> additional process be introduced into the design. That's a lot of work for
> something that is likely to result in a fair bit of grief.
>
> There is definitely a documentation bug here that should be fixed.
>
>
>
>
> On Fri, Jul 1, 2016 at 7:20 AM, scott <tcots8...@gmail.com> wrote:
>
> > Am I able to open a Jira ticket on this? Or, is this something a
> developer
> > has to do?
> >
> > Scott
> >
> > On Thu, Jun 30, 2016 at 5:17 PM, scott <tcots8...@gmail.com> wrote:
> >
> > > Impersonation using the default dfs configuration is not supported? The
> > > documentation for Impersonation Support says that File System is a
> > > supported Storage Plugin, and that only HBase is not supported.
> > > If this is true, do you know if there is a Jira ticket to add this
> > > feature?
> > >
> > > Scott
> > >
> > >
> > > On Thu, Jun 30, 2016 at 4:58 PM, Chun Chang <cch...@maprtech.com>
> wrote:
> > >
> > >> Impersonation against local file system is not supported. If you are
> > >> running against hdfs, please take a look at drillbit.log or post
> > relevant
> > >> part here.
> > >>
> > >> On Thu, Jun 30, 2016 at 8:12 AM, scott <tcots8...@gmail.com> wrote:
> > >>
> > >> > Hi,
> > >> > I am having trouble getting Impersonation to work. Using Drill 1.7,
> I
> > >> have
> > >> > a drill user, user1, and user2. Drill is started as the drill user.
> I
> > am
> > >> > testing impersonation on the local file system dfs default storage
> > >> plugin
> > >> > on a linux server. I have setup some files that are owned by user1
> and
> > >> > user2 with 600 permissions, and am using the sqlline tool to test
> > >> access.
> > >> > However, I am not able to access either file logged in as user1 or
> > >> user2.
> > >> > Only when I change permissions so that the drill user can read am I
> > >> able to
> > >> > access either file. I have confirmed that impersonation is enabled
> > using
> > >> > the following:
> > >> >
> > >> > select * from sys.boot where name like '%impersonation%';
> > >> >
> > >> >
> > >>
> >
> +-------------------------------------------------+----------+-------+---------+----------+-------------+-----------+------------+
> > >> > | name | kind |
> type |
> > >> > status | num_val | string_val | bool_val | float_val |
> > >> >
> > >> >
> > >>
> >
> +-------------------------------------------------+----------+-------+---------+----------+-------------+-----------+------------+
> > >> > | drill.exec.impersonation.enabled | BOOLEAN |
> BOOT |
> > >> > BOOT | null | null | true | null |
> > >> > | drill.exec.impersonation.max_chained_user_hops | LONG |
> BOOT |
> > >> > BOOT | 2 | null | null | null |
> > >> >
> > >> >
> > >>
> >
> +-------------------------------------------------+----------+-------+---------+----------+-------------+-----------+------------+
> > >> >
> > >> > My override conf is:
> > >> > drill.exec: {
> > >> > cluster-id: "mydrillbits",
> > >> > zk: {
> > >> > connect: "10.80.22.238:2181",
> > >> > root: "drill",
> > >> > refresh: 500,
> > >> > timeout: 5000,
> > >> > retry: {
> > >> > count: 7200,
> > >> > delay: 500
> > >> > }
> > >> > },
> > >> > http: {
> > >> > enabled: true,
> > >> > ssl_enabled: true,
> > >> > port: 8047
> > >> > },
> > >> > impersonation: {
> > >> > enabled: true,
> > >> > max_chained_user_hops: 2
> > >> > },
> > >> > security.user.auth {
> > >> > enabled: true,
> > >> > packages += "org.apache.drill.exec.rpc.user.security",
> > >> > impl: "pam",
> > >> > pam_profiles: [ "sudo", "login" ]
> > >> > }
> > >> > }
> > >> >
> > >> >
> > >> > Has anyone had similar problems, or am I misunderstanding how user
> > >> > impersonation works?
> > >> >
> > >> > Thanks for your time,
> > >> > Scott
> > >> >
> > >>
> > >
> > >
> >
>
