Tuesday, May 19, 2015

Drill Workshop -- Chaining View

Env:

Drill 1.0

Theory: 

Chained impersonation controls the number of identity transitions that Drill can make when a user queries a view. Each identity transition is equal to one hop.
The default maximum number of hops is set at 3. 
Note: See Drill Workshop -- Impersonation firstly.

Goal:

Understand "Hops" and the behavior if more than the allowed hops are exceeded.

Workshop:

1. How to change the maximum number of hops.

Edit drill-override.conf on all Drillbits nodes to set drill.exec.impersonation.max_chained_user_hops, and restart all drillbits.
For example:
$ cat drill-override.conf
drill.exec: {
  cluster-id: "MyCluster-drillbits",
  zk.connect: "h2.poc.com:5181,h3.poc.com:5181,h4.poc.com:5181",
  sys.store.provider.zk.blobroot: "maprfs:///mydrill/",
  impersonation.enabled: true,
  impersonation.max_chained_user_hops: 3
}
After restarting all drillbits, run below query to verify the settings for impersonation:
>  select * from sys.boot where name like '%impersonation%';
+-------------------------------------------------+----------+-------+---------+----------+-------------+-----------+------------+
|                      name                       |   kind   | type  | status  | num_val  | string_val  | bool_val  | float_val  |
+-------------------------------------------------+----------+-------+---------+----------+-------------+-----------+------------+
| drill.exec.impersonation.enabled                | BOOLEAN  | BOOT  | BOOT    | null     | null        | true      | null       |
| drill.exec.impersonation.max_chained_user_hops  | LONG     | BOOT  | BOOT    | 3        | null        | null      | null       |
+-------------------------------------------------+----------+-------+---------+----------+-------------+-----------+------------+
2 rows selected (2.665 seconds)

2. How to create a view with expected permission.

"View" is actually a file with extension ".view.drill", and it contains the metadata including the underline query.
If "testuser" creates a view "v1":
create view v1 as select * from `rootdir/root.csv`;
Actually in that workspace, Drill creates a file named "v1.view.drill".
The owner of that view is "testuser" and the permission by default is "700"(controlled by new_view_default_permissions).
It means only the view owner or superuser can view and change properties of that view.
# ls -altr v1.view.drill
-rwx------ 1 testuser testuser 198 May 20 00:26 v1.view.drill

# cat v1.view.drill
{
  "name" : "v1",
  "sql" : "SELECT *\nFROM `rootdir/root.csv`",
  "fields" : [ {
    "name" : "*",
    "type" : "ANY",
    "isNullable" : true
  } ],
  "workspaceSchemaPath" : [ "dfs", "drill" ]
If different permission of view is needed, we can change new_view_default_permissions at session/system level. For example:
ALTER SESSION SET `new_view_default_permissions` = '744';
create view v2 as select * from `rootdir/root.csv`;
# ls -altr v2.view.drill
-rwxr--r-- 1 testuser testuser 198 May 20 00:45 v2.view.drill

3. Test N-hops chained views.

Firstly create 4 OS users on all nodes -- usera,userb,userc and userd.
Then create individual views using different users:
UserA:
ALTER SESSION SET `new_view_default_permissions` = '744';
create view view_a as select * from `chain/usera/`;
UserB:
ALTER SESSION SET `new_view_default_permissions` = '744';
create view view_2hops as select * from view_a;
UserC
ALTER SESSION SET `new_view_default_permissions` = '744';
create view view_3hops as select * from view_2hops;
UserD
ALTER SESSION SET `new_view_default_permissions` = '744';
create view view_4hops as select * from view_3hops;
Then logon as "testuser" who fails to query the view with 4 hops.
> select * from view_4hops;
Error: PERMISSION ERROR: Cannot issue token for view expansion as issuing the token exceeds the maximum allowed number of user hops (3) in chained impersonation.

[Error Id: dda5ce7b-25a8-429f-a0e4-d8bfd0b5fa20 on h1.poc.com:31010] (state=,code=0)

> select * from view_3hops;
+----------------+
|    columns     |
+----------------+
| ["a","a","a"]  |
+----------------+
1 row selected (0.201 seconds)

You can set chain length to 0 to protect highly sensitive data.

Reference:

Configuring User Impersonation


No comments:

Post a Comment

Popular Posts