Return-Path: X-Original-To: apmail-drill-commits-archive@www.apache.org Delivered-To: apmail-drill-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7CC5B1828E for ; Tue, 12 May 2015 05:56:43 +0000 (UTC) Received: (qmail 5464 invoked by uid 500); 12 May 2015 05:56:43 -0000 Delivered-To: apmail-drill-commits-archive@drill.apache.org Received: (qmail 5421 invoked by uid 500); 12 May 2015 05:56:43 -0000 Mailing-List: contact commits-help@drill.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: commits@drill.apache.org Delivered-To: mailing list commits@drill.apache.org Received: (qmail 5405 invoked by uid 99); 12 May 2015 05:56:43 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 May 2015 05:56:43 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 492B6E07EE; Tue, 12 May 2015 05:56:43 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: tshiran@apache.org To: commits@drill.apache.org Date: Tue, 12 May 2015 05:56:43 -0000 Message-Id: <2deda5b3d71a403bbbd98a5cb3668e19@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: [01/25] drill git commit: Fix heading and code problems Repository: drill Updated Branches: refs/heads/gh-pages 6b7b7aa1d -> fcb4f412b Fix heading and code problems Project: http://git-wip-us.apache.org/repos/asf/drill/repo Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/6d0d5812 Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/6d0d5812 Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/6d0d5812 Branch: refs/heads/gh-pages Commit: 6d0d58126dc9a84a689d209033129f9117c1170d Parents: 3ababd8 Author: Kristine Hahn Authored: Thu May 7 12:50:53 2015 -0700 Committer: Kristine Hahn Committed: Thu May 7 12:50:53 2015 -0700 ---------------------------------------------------------------------- .../070-configuring-user-impersonation.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/drill/blob/6d0d5812/_docs/configure-drill/070-configuring-user-impersonation.md ---------------------------------------------------------------------- diff --git a/_docs/configure-drill/070-configuring-user-impersonation.md b/_docs/configure-drill/070-configuring-user-impersonation.md index 0aa43d8..6203ca1 100644 --- a/_docs/configure-drill/070-configuring-user-impersonation.md +++ b/_docs/configure-drill/070-configuring-user-impersonation.md @@ -54,7 +54,8 @@ When users query a view, Drill accesses the underlying data as the user that cre The view owner or a superuser can modify permissions on the view file directly or they can set view permissions at the system or session level prior to creating any views. Any user that alters view permissions must have write access on the directory or workspace in which they are working. See Modifying Permissions on a View File and Modifying SYSTEM|SESSION Level View Permissions. -#### Modifying Permissions on a View File +### Modifying Permissions on a View File + Only a view owner or a super user can modify permissions on a view file to change them from owner to group or world readable. Before you grant permission to users to access a view, verify that they have access to the directory or workspace in which the view file is stored. Use the `chmod` and `chown` commands with the appropriate octal code to change permissions on a view file: @@ -64,7 +65,8 @@ Use the `chmod` and `chown` commands with the appropriate octal code to change p hadoop fs –chown : Example: `hadoop fs –chmod 750 employees.drill.view` -####Modifying SYSTEM|SESSION Level View Permissions +### Modifying SYSTEM|SESSION Level View Permissions + Use the `ALTER SESSION|SYSTEM` command with the `new_view_default_permissions` parameter and the appropriate octal code to set view permissions at the system or session level prior to creating a view. ALTER SESSION SET `new_view_default_permissions` = ''; @@ -91,7 +93,7 @@ In this scenario, when Chad queries Jane’s view Drill returns an error stating If users encounter this error, you can increase the maximum hop setting to accommodate users running queries on views. When configuring the maximum number of hops that Drill can make, consider that joined views increase the number of identity transitions required for Drill to access the underlying data. -#### Configuring Impersonation and Chaining +### Configuring Impersonation and Chaining Chaining is a system-wide setting that applies to all views. Currently, Drill does not provide an option to allow different chain lengths for different views. Complete the following steps on each Drillbit node to enable user impersonation, and set the maximum number of chained user hops that Drill allows: @@ -117,7 +119,6 @@ Complete the following steps on each Drillbit node to enable user impersonation, * In a non-MapR environment, run the following command: /bin/drillbit.sh restart - ## Impersonation and Chaining Example Frank is a senior HR manager at a company. Frank has access to all of the employee data because he is a member of the hr group. Frank created a table named “employees” in his home directory to store the employee data he uses. Only Frank has access to this table. @@ -131,6 +132,7 @@ Frank needs to share a subset of this information with Joe who is an HR manager rwxr----- frank:mgr /user/frank/emp_mgr_view.drill.view The emp_mgr_view.drill.view file contains the following view definition: + (view definition: SELECT emp_id, emp_name, emp_salary, emp_addr, emp_phone FROM \`/user/frank/employee\` WHERE emp_mgr = user()) When Joe issues SELECT * FROM emp_mgr_view, Drill impersonates Frank when accessing the employee data, and the query returns the data that Joe has permission to see based on the view definition. The query results do not include any sensitive data because the view protects that information. If Joe tries to query the employees table directly, Drill returns an error or null values. @@ -143,7 +145,7 @@ rwxr----- joe:joeteam /user/joe/emp_team_view.drill.view The emp_team_view.drill.view file contains the following view definition: -(view definition: SELECT emp_id, emp_name, emp_phone FROM `/user/frank/emp_mgr_view.drill`); +(view definition: SELECT emp_id, emp_name, emp_phone FROM \`/user/frank/emp_mgr_view.drill\`); When anyone on Joe’s team issues SELECT * FROM emp_team_view, Drill impersonates Joe to access the emp_team_view and then impersonates Frank to access the emp_mgr_view and the employee data. Drill returns the data that Joe’s team has can see based on the view definition. If anyone on Joe’s team tries to query the emp_mgr_view or employees table directly, Drill returns an error or null values.