drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-4281) Drill should support inbound impersonation
Date Fri, 04 Mar 2016 01:11:40 GMT

    [ https://issues.apache.org/jira/browse/DRILL-4281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15179082#comment-15179082
] 

ASF GitHub Bot commented on DRILL-4281:
---------------------------------------

Github user jacques-n commented on a diff in the pull request:

    https://github.com/apache/drill/pull/400#discussion_r54977126
  
    --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/util/UserDelegationUtil.java
---
    @@ -0,0 +1,147 @@
    +/**
    + * Licensed to the Apache Software Foundation (ASF) under one
    + * or more contributor license agreements.  See the NOTICE file
    + * distributed with this work for additional information
    + * regarding copyright ownership.  The ASF licenses this file
    + * to you under the Apache License, Version 2.0 (the
    + * "License"); you may not use this file except in compliance
    + * with the License.  You may obtain a copy of the License at
    + * <p/>
    + * http://www.apache.org/licenses/LICENSE-2.0
    + * <p/>
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.drill.exec.util;
    +
    +import com.fasterxml.jackson.core.JsonGenerator;
    +import com.fasterxml.jackson.core.JsonParser;
    +import com.fasterxml.jackson.core.type.TypeReference;
    +import com.fasterxml.jackson.databind.ObjectMapper;
    +import com.google.common.collect.Sets;
    +import org.apache.drill.common.exceptions.UserException;
    +import org.apache.drill.exec.server.options.OptionValue;
    +import org.apache.drill.exec.server.options.TypeValidators;
    +import org.apache.hadoop.security.UserGroupInformation;
    +
    +import java.io.IOException;
    +import java.util.List;
    +import java.util.Set;
    +
    +/**
    + * Utilities for user delegation purpose.
    + */
    +public class UserDelegationUtil {
    +  private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(UserDelegationUtil.class);
    +
    +  private static final String STAR = "*";
    +
    +  private static final ObjectMapper delegationDefinitionsMapper = new ObjectMapper();
    +
    +  static {
    +    delegationDefinitionsMapper.configure(JsonGenerator.Feature.QUOTE_FIELD_NAMES, false);
    +    delegationDefinitionsMapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES,
true);
    +  }
    +
    +  private static class DelegationDefinition {
    +    public UserGroupDefinition delegates = new UserGroupDefinition();
    +    public UserGroupDefinition delegators = new UserGroupDefinition();
    +  }
    +
    +  private static class UserGroupDefinition {
    +    public Set<String> users = Sets.newHashSet();
    +    public Set<String> groups = Sets.newHashSet();
    +  }
    +
    +  /**
    +   * Deserialize delegation definitions string to a list of delegation definition objects.
    +   *
    +   * @param delegationDefinitions delegation definitions as a sting
    +   * @return delegation definitions as a list of objects
    +   * @throws IOException
    +   */
    +  public static List<DelegationDefinition> deserializeDelegationDefinitions(final
String delegationDefinitions)
    +      throws IOException {
    +    return delegationDefinitionsMapper.readValue(delegationDefinitions,
    +        new TypeReference<List<DelegationDefinition>>() {});
    +  }
    +
    +  /**
    +   * Validator for delegation definitions.
    +   */
    +  public static class DelegationDefinitionsValidator extends TypeValidators.AdminOptionValidator
{
    +
    +    public DelegationDefinitionsValidator(String name, String def) {
    +      super(name, def);
    +    }
    +
    +    @Override
    +    public void validate(OptionValue v) {
    +      super.validate(v);
    +
    +      final List<DelegationDefinition> definitions;
    +      try {
    +        definitions = deserializeDelegationDefinitions(v.string_val);
    +      } catch (final IOException e) {
    +        throw UserException.validationError()
    +            .message("Invalid delegation definition.\nDetails: %s", e.getMessage())
    +            .build(logger);
    +      }
    +
    +      for (final DelegationDefinition definition : definitions) {
    +        if (definition.delegates.users.contains(STAR) ||
    +            definition.delegates.groups.contains(STAR)) {
    +          throw UserException.validationError()
    +              .message("No wildcard delegates allowed.")
    +              .build(logger);
    +        }
    +      }
    +    }
    +  }
    +
    +  /**
    +   * Check if the given delegate is authorized to delegate for the delegator based on
the delegation definitions.
    +   *
    +   * @param delegateName          delegate name
    +   * @param delegatorName         delegator name
    +   * @param delegationDefinitions valid delegation definitions
    +   * @return true iff delegate is authorized to delegate for the delegator
    +   */
    +  public static boolean hasDelegationPrivileges(final String delegateName, final String
delegatorName,
    +                                                final String delegationDefinitions) throws
IOException {
    +    final List<DelegationDefinition> definitions;
    +    try {
    +      definitions = deserializeDelegationDefinitions(delegationDefinitions);
    --- End diff --
    
    I think we should avoid constant repetitive deserialization. We can simply check if the
string changed and if it did, reset the representation. Thoughts?


> Drill should support inbound impersonation
> ------------------------------------------
>
>                 Key: DRILL-4281
>                 URL: https://issues.apache.org/jira/browse/DRILL-4281
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Keys Botzum
>            Assignee: Sudheesh Katkam
>              Labels: doc-impacting, security
>
> Today Drill supports impersonation *to* external sources. For example I can authenticate
to Drill as myself and then Drill will access HDFS using impersonation
> In many scenarios we also need impersonation to Drill. For example I might use some front
end tool (such as Tableau) and authenticate to it as myself. That tool (server version) then
needs to access Drill to perform queries and I want those queries to run as myself, not as
the Tableau user. While in theory the intermediate tool could store the userid & password
for every user to the Drill this isn't a scalable or very secure solution.
> Note that HS2 today does support inbound impersonation as described here:  https://issues.apache.org/jira/browse/HIVE-5155

> The above is not the best approach as it is tied to the connection object which is very
coarse grained and potentially expensive. It would be better if there was a call on the ODBC/JDBC
driver to switch the identity on a existing connection. Most modern SQL databases (Oracle,
DB2) support such function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message