Env:
Drill 1.0Theory:
Chained impersonation controls the number of identity transitions that Drill can make when a user queries a view. Each identity transition is equal to one hop.The default maximum number of hops is set at 3.
Note: See Drill Workshop -- Impersonation firstly.
Goal:
Understand "Hops" and the behavior if more than the allowed hops are exceeded.Workshop:
1. How to change the maximum number of hops.
Edit drill-override.conf on all Drillbits nodes to set drill.exec.impersonation.max_chained_user_hops, and restart all drillbits.For example:
$ cat drill-override.conf drill.exec: { cluster-id: "MyCluster-drillbits", zk.connect: "h2.poc.com:5181,h3.poc.com:5181,h4.poc.com:5181", sys.store.provider.zk.blobroot: "maprfs:///mydrill/", impersonation.enabled: true, impersonation.max_chained_user_hops: 3 }After restarting all drillbits, run below query to verify the settings for impersonation:
> select * from sys.boot where name like '%impersonation%'; +-------------------------------------------------+----------+-------+---------+----------+-------------+-----------+------------+ | name | kind | type | status | num_val | string_val | bool_val | float_val | +-------------------------------------------------+----------+-------+---------+----------+-------------+-----------+------------+ | drill.exec.impersonation.enabled | BOOLEAN | BOOT | BOOT | null | null | true | null | | drill.exec.impersonation.max_chained_user_hops | LONG | BOOT | BOOT | 3 | null | null | null | +-------------------------------------------------+----------+-------+---------+----------+-------------+-----------+------------+ 2 rows selected (2.665 seconds)
2. How to create a view with expected permission.
"View" is actually a file with extension ".view.drill", and it contains the metadata including the underline query.If "testuser" creates a view "v1":
create view v1 as select * from `rootdir/root.csv`;Actually in that workspace, Drill creates a file named "v1.view.drill".
The owner of that view is "testuser" and the permission by default is "700"(controlled by new_view_default_permissions).
It means only the view owner or superuser can view and change properties of that view.
# ls -altr v1.view.drill
-rwx------ 1 testuser testuser 198 May 20 00:26 v1.view.drill
# cat v1.view.drill
{
"name" : "v1",
"sql" : "SELECT *\nFROM `rootdir/root.csv`",
"fields" : [ {
"name" : "*",
"type" : "ANY",
"isNullable" : true
} ],
"workspaceSchemaPath" : [ "dfs", "drill" ]
If different permission of view is needed, we can change new_view_default_permissions at session/system level. For example:ALTER SESSION SET `new_view_default_permissions` = '744'; create view v2 as select * from `rootdir/root.csv`;
# ls -altr v2.view.drill
-rwxr--r-- 1 testuser testuser 198 May 20 00:45 v2.view.drill
3. Test N-hops chained views.
Firstly create 4 OS users on all nodes -- usera,userb,userc and userd.Then create individual views using different users:
UserA:
ALTER SESSION SET `new_view_default_permissions` = '744'; create view view_a as select * from `chain/usera/`;UserB:
ALTER SESSION SET `new_view_default_permissions` = '744'; create view view_2hops as select * from view_a;UserC
ALTER SESSION SET `new_view_default_permissions` = '744'; create view view_3hops as select * from view_2hops;UserD
ALTER SESSION SET `new_view_default_permissions` = '744'; create view view_4hops as select * from view_3hops;Then logon as "testuser" who fails to query the view with 4 hops.
> select * from view_4hops; Error: PERMISSION ERROR: Cannot issue token for view expansion as issuing the token exceeds the maximum allowed number of user hops (3) in chained impersonation. [Error Id: dda5ce7b-25a8-429f-a0e4-d8bfd0b5fa20 on h1.poc.com:31010] (state=,code=0) > select * from view_3hops; +----------------+ | columns | +----------------+ | ["a","a","a"] | +----------------+ 1 row selected (0.201 seconds)
You can set chain length to 0 to protect highly sensitive data.
No comments:
Post a Comment