Return-Path: X-Original-To: apmail-drill-dev-archive@www.apache.org Delivered-To: apmail-drill-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 17DA9173C7 for ; Tue, 12 May 2015 21:55:01 +0000 (UTC) Received: (qmail 62383 invoked by uid 500); 12 May 2015 21:55:00 -0000 Delivered-To: apmail-drill-dev-archive@drill.apache.org Received: (qmail 62323 invoked by uid 500); 12 May 2015 21:55:00 -0000 Mailing-List: contact dev-help@drill.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@drill.apache.org Delivered-To: mailing list dev@drill.apache.org Received: (qmail 62246 invoked by uid 99); 12 May 2015 21:55:00 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 May 2015 21:55:00 +0000 Date: Tue, 12 May 2015 21:55:00 +0000 (UTC) From: "Krystal (JIRA)" To: dev@drill.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (DRILL-3041) Impersonation-user can create view against file that user doesn't have read access MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 Krystal created DRILL-3041: ------------------------------ Summary: Impersonation-user can create view against file that user doesn't have read access Key: DRILL-3041 URL: https://issues.apache.org/jira/browse/DRILL-3041 Project: Apache Drill Issue Type: Bug Components: Execution - RPC Affects Versions: 1.0.0 Reporter: Krystal Assignee: Jacques Nadeau git.commit.id.abbrev=d10769f I have a file that has the following permission: -rwx------ 3 qa2 users 63078 2015-01-30 21:19 /drill/testdata/csv/voter.csv The directory right above the file has the following permission: drwxr-xr-x - qa2 users 3 2015-05-12 14:22 /drill/testdata/csv Logged into sqlline as a different user and attempted to create a view: 0: jdbc:drill:schema=dfs.root> CREATE VIEW `dfs.qa1`.`test_v4` AS SELECT columns[0] as column_0, columns[1] as column_1, columns[2] as column_2, columns[3] as column_3, columns[4] as column_4, columns[5] as column_5, columns[6] as column_6 FROM `dfs`.`default`.`drill/testdata/csv/voter.csv` LIMIT 100; The view got created successfully. However if I tried to read from the view, I can't because of the lack of permission to the voter.csv table: 0: jdbc:drill:schema=dfs.root> select * from `dfs.qa1`.`test_v4`; Error: SYSTEM ERROR: org.apache.hadoop.security.AccessControlException: Open failed for file: /drill/testdata/csv/voter.csv, error: Permission denied (13) Currently drill only check if the folder contains correct permission and not at the file level when creating views. It seems odd that a user is allowed to create the view then not being able to access it afterwards. -- This message was sent by Atlassian JIRA (v6.3.4#6332)