ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Radley (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-1850) Impersonation/proxy user support for gaiandb ranger plugin
Date Fri, 05 Jan 2018 11:01:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-1850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16312949#comment-16312949
] 

David Radley commented on RANGER-1850:
--------------------------------------

[~jonesn] thanks for the clarification - that makes sense. 
a) My thinking is that authentication strategies should always be on the cautious side unless
there are best practices or precedence you have found to indicate otherwise.    
b) It sounds like we are creating a schema for the supplied userid. So we will proliferate
schemas if there are a lot of users - one for every user.  

A couple more comments: 
e) From your docs, you mention:
SELECT * FROM LT -- GDB_CREDENTIALS
I assume we are not going to use this select form - as your plugin will effectively do this.
f) Can I confirm when your authentication plugin runs. Is it once for every data source that
is referenced by a query or once for every connection that those data sources use?










> Impersonation/proxy user support for gaiandb ranger plugin
> ----------------------------------------------------------
>
>                 Key: RANGER-1850
>                 URL: https://issues.apache.org/jira/browse/RANGER-1850
>             Project: Ranger
>          Issue Type: Sub-task
>          Components: plugins
>            Reporter: Nigel Jones
>         Attachments: GaianDBAuth.docx
>
>
> Applications/users could connect to gaianDB using their own authentication information
- for example userid/password in the simple case. Here the ranger plugin will use that id
for policy checks.
> However in a multi tiered architecture a service id (aka non personal account) may be
used, and somehow the user to be impersonated is passed via an additional property. This has
a number of implications to the system configuration, derby/gaiandb configuration & the
plugin implementation. 
> Opening this Jira as a placeholder and will add a document soon (++days) on the same
to capture some of the discussion around this area in recent days.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message