drill-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From yufeldman <...@git.apache.org>
Subject [GitHub] drill pull request: DRILL-4281: Support authorized users to delega...
Date Fri, 04 Mar 2016 07:55:22 GMT
Github user yufeldman commented on the pull request:

    https://github.com/apache/drill/pull/400#issuecomment-192171659
  
    Couple of general comments:
    1. Since you are using Hadoop UGI it probably makes sense to be more compliant with Hadoop
auth definitions. Which are: "superuser" can proxy for "user(s), group(s) and host(s)". May
be adding group that can proxy is OK, but it is not what is done in Hadoop world today.
    -------------------------
    hadoop.proxyuser.superuser.hosts		comma separated hosts from which superuser access are
allowed to impersonation. * means wildcard.
    hadoop.proxyuser.superuser.groups		comma separated groups to which users impersonated
by superuser belongs. * means wildcard.
    -------------------------
    2. I think what we call here delegate/delegator is a true impersonation, what we call
"chained impersonation" is kind of opposite of impersonation as it is increasing privileges
versus restricting them. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message