Using ACEs on Views to Limit Data Access
Describes how to use access control expressions to limit data access for Views.
Apache Drill is a distributed SQL query layer that runs on the data platform. You can enable user impersonation and create views in Drill to control user access to data stored in the data platform at the row and column levels. Access to data is based on file permissions set on the data (source files) and on the view definition files.
In addition to standard POSIX permissions, ACEs (access control expressions) are supported to secure data in the distributed filesystem. ACEs are a flexible access control mechanism that applies to files, tables, and streams. Setting an ACE (access control expression) on a file modifies the file permission to honor the Access Control Expression (ACE) setting. Drill honors ACE set on Drill view files and on the source files that views access.
Each Drill view created has an associated view definition file, with a
.view.drill
extension, on which you can set ACEs to secure the view.
Example
-rwxr----- frank:hr /user/frank/employees
emp_mgr_view
in his home directory to share a subset of the employees data
with managers that belong to the MGR
group:-rwxr----- joe:mgr /user/joe/emp_mgr_view.drill.view
Managers in the MGR group have read permission on the
emp_mgr_view.drill.view
file so they can query the
emp_mgr_view
that Joe created and they can create new views from his view.
Setting ACE on the underlying data source (the “employees” table) or on the view
file (emp_mgr_view.drill.view
) that accesses the underlying data source resets
the POSIX mode bits to match the permissions granted through ACE settings.
hadoop mfs -setace -R -readfile 'g:exec' employees
Anyone in the HR group that previously had access to the table can no longer access the table data unless they also belong to the EXEC group.
-getace
command on the table lists the ACE settings on
the
table:hadoop mfs -getace /user/frank/employees
Path: /user/frank/employees
readfile: g:exec
writefile:
executefile:
readdir:
addchild:
deletechild:
lookupdir:
inherit: true
mode: ---------
emp_mgr_view.drill.view
file, only members of the HR group can read the file.
Users that belong to the MGR group can no longer access the data through the view, unless they
also belong to the HR
group.hadoop mfs -setace -R -readfile 'g:hr' emp_mgr_view.drill.view
Running the -getace
command on view file shows the ACE settings on the
file:
hadoop mfs -getace /user/joe/emp_mgr_view.drill.view
Path: /user/joe/emp_mgr_view.drill.view
readfile: g:hr
writefile:
executefile:
readdir:
addchild:
deletechild:
lookupdir:
inherit: true
mode: ---------
You may also want to view another File ACE Example.