drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rahul Challapalli (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DRILL-3825) Metadata Caching + Impersonation : A count(*) query can bypass security checks
Date Wed, 23 Sep 2015 01:30:05 GMT
Rahul Challapalli created DRILL-3825:
----------------------------------------

             Summary: Metadata Caching + Impersonation : A count(*) query can bypass security
checks
                 Key: DRILL-3825
                 URL: https://issues.apache.org/jira/browse/DRILL-3825
             Project: Apache Drill
          Issue Type: Bug
          Components: Metadata
            Reporter: Rahul Challapalli
            Assignee: Aman Sinha
            Priority: Critical


git.commit.id.abbrev=3c89b30

The below testing has been done with impersonation enabled

User A has 755 permissions on the 'lineitem' folder and does not have read access to the subfolder
'lineitem/2006'. The below query rightly fails
{code}
select count(*) from dfs.`/drill/testdata/metadata_caching/lineitem`;
Error: PERMISSION ERROR: Not authorized to read table [/drill/testdata/metadata_caching/lineitem]
in schema [dfs.default]


[Error Id: c3238ee0-4338-46bf-ba7c-875d995d62d0 on qa-node190.qa.lab:31010] (state=,code=0)
{code}

Now some other user who has access to 'lineitem' and its sub-folders ran the 'refresh table
metadata" command.
Now user A executes the above same query and gets the result back skipping the security checks
{code}
select count(*) from  dfs.`/drill/testdata/metadata_caching/lineitem`;
+---------+
| EXPR$0  |
+---------+
| 60175   |
+---------+
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message