[jira] [Commented] (DRILL-7250) Query with CTE fails when its name matches to the table name without access

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/DRILL-7250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16843851#comment-16843851
 ] 

ASF GitHub Bot commented on DRILL-7250:
---------------------------------------

arina-ielchiieva commented on pull request #1792: DRILL-7250: Query with CTE 
fails when its name matches to the table name without access
URL: https://github.com/apache/drill/pull/1792#discussion_r285529572
 
 

 ##########
 File path: 
exec/java-exec/src/main/java/org/apache/calcite/jdbc/DynamicRootSchema.java
 ##########
 @@ -61,6 +61,8 @@ public StoragePluginRegistry getSchemaFactories() {
   @Override
   protected CalciteSchema getImplicitSubSchema(String schemaName,
                                                boolean caseSensitive) {
+    // Drill registers schemas in lower case, see AbstractSchema constructor
+    schemaName = schemaName != null ? schemaName.toLowerCase() : null;
 
 Review comment:
   Not critical, but maybe it's better to invert: `schemaName == null ? ...`
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Query with CTE fails when its name matches to the table name without access
> ---------------------------------------------------------------------------
>
>                 Key: DRILL-7250
>                 URL: https://issues.apache.org/jira/browse/DRILL-7250
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Volodymyr Vysotskyi
>            Assignee: Volodymyr Vysotskyi
>            Priority: Major
>             Fix For: 1.17.0
>
>
> When impersonation is enabled, and for example, we have {{lineitem}} table 
> with permissions {{750}} which is owned by {{user0_1:group0_1}} and 
> {{user2_1}} don't have access to it.
> The following query:
> {code:sql}
> use mini_dfs_plugin.user0_1;
> with lineitem as (SELECT 1 as a) select * from lineitem
> {code}
> submitted from {{user2_1}} fails with the following error:
> {noformat}
> java.lang.Exception: org.apache.hadoop.security.AccessControlException: 
> Permission denied: user=user2_1, access=READ_EXECUTE, 
> inode="/user/user0_1/lineitem":user0_1:group0_1:drwxr-x---
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:317)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:229)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:199)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1752)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1736)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPathAccess(FSDirectory.java:1710)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirStatAndListingOp.getListingInt(FSDirStatAndListingOp.java:70)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getListing(FSNamesystem.java:4432)
>       at 
> org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getListing(NameNodeRpcServer.java:999)
>       at 
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getListing(ClientNamenodeProtocolServerSideTranslatorPB.java:646)
>       at 
> org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
>       at 
> org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:616)
>       at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:982)
>       at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2217)
>       at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2213)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at javax.security.auth.Subject.doAs(Subject.java:422)
>       at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1746)
>       at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2213)
>       at .......(:0) ~[na:na]
>       at 
> org.apache.drill.exec.util.FileSystemUtil.listRecursive(FileSystemUtil.java:253)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.util.FileSystemUtil.list(FileSystemUtil.java:208) 
> ~[classes/:na]
>       at 
> org.apache.drill.exec.util.FileSystemUtil.listFiles(FileSystemUtil.java:104) 
> ~[classes/:na]
>       at 
> org.apache.drill.exec.util.DrillFileSystemUtil.listFiles(DrillFileSystemUtil.java:86)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.store.dfs.FileSelection.minusDirectories(FileSelection.java:178)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.detectEmptySelection(WorkspaceSchemaFactory.java:669)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.create(WorkspaceSchemaFactory.java:633)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.create(WorkspaceSchemaFactory.java:283)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.ExpandingConcurrentMap.getNewEntry(ExpandingConcurrentMap.java:96)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.ExpandingConcurrentMap.get(ExpandingConcurrentMap.java:90)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.getTable(WorkspaceSchemaFactory.java:439)
>  ~[classes/:na]
>       at 
> org.apache.calcite.jdbc.SimpleCalciteSchema.getImplicitTable(SimpleCalciteSchema.java:83)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.jdbc.CalciteSchema.getTable(CalciteSchema.java:286) 
> ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorUtil.getTableEntryFrom(SqlValidatorUtil.java:1046)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorUtil.getTableEntry(SqlValidatorUtil.java:1003)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.prepare.CalciteCatalogReader.getTable(CalciteCatalogReader.java:120)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.drill.exec.planner.sql.SqlConverter$DrillCalciteCatalogReader.getTable(SqlConverter.java:741)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.SqlConverter$DrillValidator.validateFrom(SqlConverter.java:283)
>  ~[classes/:na]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateSelect(SqlValidatorImpl.java:3302)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SelectNamespace.validateImpl(SelectNamespace.java:60)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.AbstractNamespace.validate(AbstractNamespace.java:84)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateNamespace(SqlValidatorImpl.java:977)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateQuery(SqlValidatorImpl.java:953)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.WithNamespace.validateImpl(WithNamespace.java:57)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.AbstractNamespace.validate(AbstractNamespace.java:84)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateNamespace(SqlValidatorImpl.java:977)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateWith(SqlValidatorImpl.java:3750)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at org.apache.calcite.sql.SqlWith.validate(SqlWith.java:71) 
> ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validateScopedExpression(SqlValidatorImpl.java:928)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.calcite.sql.validate.SqlValidatorImpl.validate(SqlValidatorImpl.java:632)
>  ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
>       at 
> org.apache.drill.exec.planner.sql.SqlConverter.validate(SqlConverter.java:212)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.handlers.DefaultSqlHandler.validateNode(DefaultSqlHandler.java:663)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.handlers.DefaultSqlHandler.validateAndConvert(DefaultSqlHandler.java:200)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.handlers.DefaultSqlHandler.getPlan(DefaultSqlHandler.java:173)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.DrillSqlWorker.getQueryPlan(DrillSqlWorker.java:226)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.DrillSqlWorker.convertPlan(DrillSqlWorker.java:133)
>  ~[classes/:na]
>       at 
> org.apache.drill.exec.planner.sql.DrillSqlWorker.getPlan(DrillSqlWorker.java:90)
>  ~[classes/:na]
>       at org.apache.drill.exec.work.foreman.Foreman.runSQL(Foreman.java:593) 
> ~[classes/:na]
>       at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:276) 
> ~[classes/:na]
>       at .......(:0) ~[na:na]
> {noformat}
> It should pass since table {{lineitem}} is not used in the query, but Drill 
> is trying to access this table.
> Partially this problem is caused by CALCITE-3061 and the way how Drill 
> determines whether the schema is valid.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)