[ https://issues.apache.org/jira/browse/DRILL-3825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zelaine Fong updated DRILL-3825: -------------------------------- Assignee: Parth Chandra > Metadata Caching + Impersonation : A count(*) query can bypass security checks > ------------------------------------------------------------------------------ > > Key: DRILL-3825 > URL: https://issues.apache.org/jira/browse/DRILL-3825 > Project: Apache Drill > Issue Type: Bug > Components: Metadata > Reporter: Rahul Challapalli > Assignee: Parth Chandra > Priority: Critical > Fix For: 1.3.0 > > > git.commit.id.abbrev=3c89b30 > The below testing has been done with impersonation enabled > User A has 755 permissions on the 'lineitem' folder and does not have read > access to the subfolder 'lineitem/2006'. The below query rightly fails > {code} > select count(*) from dfs.`/drill/testdata/metadata_caching/lineitem`; > Error: PERMISSION ERROR: Not authorized to read table > [/drill/testdata/metadata_caching/lineitem] in schema [dfs.default] > [Error Id: c3238ee0-4338-46bf-ba7c-875d995d62d0 on qa-node190.qa.lab:31010] > (state=,code=0) > {code} > Now some other user who has access to 'lineitem' and its sub-folders ran the > 'refresh table metadata" command. > Now user A executes the above same query and gets the result back skipping > the security checks > {code} > select count(*) from dfs.`/drill/testdata/metadata_caching/lineitem`; > +---------+ > | EXPR$0 | > +---------+ > | 60175 | > +---------+ > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)