drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-4281) Drill should support inbound impersonation
Date Sat, 05 Mar 2016 00:30:40 GMT

    [ https://issues.apache.org/jira/browse/DRILL-4281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15181352#comment-15181352
] 

ASF GitHub Bot commented on DRILL-4281:
---------------------------------------

Github user sudheeshkatkam commented on the pull request:

    https://github.com/apache/drill/pull/400#issuecomment-192535617
  
    I apologize that my terminology is confusing everyone.
    
    I've updated the [design document](https://docs.google.com/document/d/1g0KgugVdRbbIxxZrSCtO1PEHlvwczTLDb38k-npvwjA)
and the PR to include terms that (hopefully) users and developers can understand.
    
    (1) User delegation itself is not a suitable name for this feature, since this feature
is extending the current impersonation model. So when _user impersonation_ is enabled, this
_inbound_ or _client_ impersonation feature is also enabled.
    (2) I am going to use a variant of Jacques' suggestion for _inbound_ impersonation policies.
I think `proxy_principals` and `target_principals` are apt. For example, an admin would setup
policies by using:
    ```
    ALTER SYSTEM SET `exec.impersonation.inbound_policies` = '[
      { proxy_principals  : { users : [ "user0_1"] },
        target_principals : { users : ["*"] } },
      { proxy_principals  : { groups : ["group5_1"] },
        target_principals : { groups : ["group4_2"] } }
    ]';
    ```
    
    Overall, when impersonation is enabled, both _inbound_ impersonation and _outbound_ impersonation
are  allowed.
    + _Inbound_ or _client_ impersonation: an authorized user can impersonate a target user,
and the session user is set accordingly.
    + _Outbound_ or _storage plugin_ impersonation: Drill itself impersonates as the session
user when interacting with storage plugins.


> Drill should support inbound impersonation
> ------------------------------------------
>
>                 Key: DRILL-4281
>                 URL: https://issues.apache.org/jira/browse/DRILL-4281
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Keys Botzum
>            Assignee: Sudheesh Katkam
>              Labels: doc-impacting, security
>
> Today Drill supports impersonation *to* external sources. For example I can authenticate
to Drill as myself and then Drill will access HDFS using impersonation
> In many scenarios we also need impersonation to Drill. For example I might use some front
end tool (such as Tableau) and authenticate to it as myself. That tool (server version) then
needs to access Drill to perform queries and I want those queries to run as myself, not as
the Tableau user. While in theory the intermediate tool could store the userid & password
for every user to the Drill this isn't a scalable or very secure solution.
> Note that HS2 today does support inbound impersonation as described here:  https://issues.apache.org/jira/browse/HIVE-5155

> The above is not the best approach as it is tied to the connection object which is very
coarse grained and potentially expensive. It would be better if there was a call on the ODBC/JDBC
driver to switch the identity on a existing connection. Most modern SQL databases (Oracle,
DB2) support such function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message