[
https://issues.apache.org/jira/browse/DRILL-3825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Zelaine Fong updated DRILL-3825:
--------------------------------
Assignee: Parth Chandra
> Metadata Caching + Impersonation : A count(*) query can bypass security checks
> ------------------------------------------------------------------------------
>
> Key: DRILL-3825
> URL: https://issues.apache.org/jira/browse/DRILL-3825
> Project: Apache Drill
> Issue Type: Bug
> Components: Metadata
> Reporter: Rahul Challapalli
> Assignee: Parth Chandra
> Priority: Critical
> Fix For: 1.3.0
>
>
> git.commit.id.abbrev=3c89b30
> The below testing has been done with impersonation enabled
> User A has 755 permissions on the 'lineitem' folder and does not have read
> access to the subfolder 'lineitem/2006'. The below query rightly fails
> {code}
> select count(*) from dfs.`/drill/testdata/metadata_caching/lineitem`;
> Error: PERMISSION ERROR: Not authorized to read table
> [/drill/testdata/metadata_caching/lineitem] in schema [dfs.default]
> [Error Id: c3238ee0-4338-46bf-ba7c-875d995d62d0 on qa-node190.qa.lab:31010]
> (state=,code=0)
> {code}
> Now some other user who has access to 'lineitem' and its sub-folders ran the
> 'refresh table metadata" command.
> Now user A executes the above same query and gets the result back skipping
> the security checks
> {code}
> select count(*) from dfs.`/drill/testdata/metadata_caching/lineitem`;
> +---------+
> | EXPR$0 |
> +---------+
> | 60175 |
> +---------+
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
