drill-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacques Nadeau <jacq...@dremio.com>
Subject Re: [DISCUSS] New Feature: Drill Client Impersonation
Date Mon, 22 Feb 2016 01:07:53 GMT
Sudheesh, thanks for putting this together. Reviewing Oracle documentation,
they expose this at the API level rather than through a random query. I
think we should probably model after that rather than invent a new
mechanism. This also means we can avoid things like query parsing,
execution roundtrip, query profiles, etc to provide this functionality.

See here:

https://docs.oracle.com/cd/B28359_01/java.111/b31224/proxya.htm#BABEJEIA

--
Jacques Nadeau
CTO and Co-Founder, Dremio

On Fri, Feb 19, 2016 at 2:18 PM, Keys Botzum <kbotzum@maprtech.com> wrote:

> This is a great feature to add to Drill and I'm excited to see design on
> it starting.
>
> The ability for an intermediate server that is likely already
> authenticating end users, to send end user identity down to Drill adds a
> key element into an end to end secure design by enabling Drill and the back
> end systems to see the real user and thus perform meaningful authorization.
>
> Back when I was building many JEE applications I know the DBAs where very
> frustrated that the application servers blinded them to the identity of the
> end user accessing important corporate data. When JEE application servers
> and databases finally added the ability to impersonate that addressed a lot
> of security concerns. Of course this isn't a perfect solution and I'm sure
> others will recognize that in some scenarios impersonation isn't the best
> approach, but having that as an option in Drill is very valuable.
>
> Keys
> _______________________________
> Keys Botzum
> Senior Principal Technologist
> kbotzum@maprtech.com <mailto:kbotzum@maprtech.com>
> 443-718-0098
> MapR Technologies
> http://www.mapr.com <http://www.mapr.com/>
> > On Feb 19, 2016, at 4:49 PM, Sudheesh Katkam <skatkam@maprtech.com>
> wrote:
> >
> > Hey y’all,
> >
> > I plan to work on DRILL-4281 <
> https://issues.apache.org/jira/browse/DRILL-4281>: support for
> inbound/client impersonation. Please review the design document <
> https://docs.google.com/document/d/1g0KgugVdRbbIxxZrSCtO1PEHlvwczTLDb38k-npvwjA>,
> which is open for comments. There is also a link to proof-of-concept
> (slightly hacky).
> >
> > Thank you,
> > Sudheesh
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message