From dev-return-16417-archive-asf-public=cust-asf.ponee.io@ranger.apache.org Fri Jan 5 12:17:04 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id D27F5180647 for ; Fri, 5 Jan 2018 12:17:04 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id C2D8B160C27; Fri, 5 Jan 2018 11:17:04 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 14D22160C19 for ; Fri, 5 Jan 2018 12:17:03 +0100 (CET) Received: (qmail 26913 invoked by uid 500); 5 Jan 2018 11:17:03 -0000 Mailing-List: contact dev-help@ranger.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ranger.apache.org Delivered-To: mailing list dev@ranger.apache.org Received: (qmail 26896 invoked by uid 99); 5 Jan 2018 11:17:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 05 Jan 2018 11:17:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id ADAAF1A0039 for ; Fri, 5 Jan 2018 11:17:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.211 X-Spam-Level: X-Spam-Status: No, score=-99.211 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id xUZZJAuG_K28 for ; Fri, 5 Jan 2018 11:17:01 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 1BDDA5F470 for ; Fri, 5 Jan 2018 11:17:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 50A4BE04C7 for ; Fri, 5 Jan 2018 11:17:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 1726E240E2 for ; Fri, 5 Jan 2018 11:17:00 +0000 (UTC) Date: Fri, 5 Jan 2018 11:17:00 +0000 (UTC) From: "Nigel Jones (JIRA)" To: dev@ranger.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (RANGER-1850) Impersonation/proxy user support for gaiandb ranger plugin MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/RANGER-1850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16312967#comment-16312967 ] Nigel Jones edited comment on RANGER-1850 at 1/5/18 11:16 AM: -------------------------------------------------------------- a) Point noted :-) b) Yes that is correct (I was aware of it, I should add to the docs), it's a current limitation caused by derby/us using backlevel. e) Correct we are not using this approach as this requires changes to applications and means derby sees one user (like 'gaiandb') whilst some the ranger plugin operates on another. It also means only sql statement execution uses this proxied user id, whilst jdbc metadata queries etc do not. Confusing and more divergent from base derby security & the way the derby security manager works. By using the proper derby plugin approach derby consistently sees the same userid as gaian regardless of the API call. We are also closer then to the intent of the derby community in terms of extension points, and can build on that approach as we update gaiandb in future f) The plugin is called when a connection is made from an application, via the jdbc driver, into gaiandb. It's right at the top.. It is not called per data source (that is something gaiandb manages using the auth details configured in gaiandb_config.properties for each source) was (Author: jonesn): a) Point accepted :-) > Impersonation/proxy user support for gaiandb ranger plugin > ---------------------------------------------------------- > > Key: RANGER-1850 > URL: https://issues.apache.org/jira/browse/RANGER-1850 > Project: Ranger > Issue Type: Sub-task > Components: plugins > Reporter: Nigel Jones > Attachments: GaianDBAuth.docx > > > Applications/users could connect to gaianDB using their own authentication information - for example userid/password in the simple case. Here the ranger plugin will use that id for policy checks. > However in a multi tiered architecture a service id (aka non personal account) may be used, and somehow the user to be impersonated is passed via an additional property. This has a number of implications to the system configuration, derby/gaiandb configuration & the plugin implementation. > Opening this Jira as a placeholder and will add a document soon (++days) on the same to capture some of the discussion around this area in recent days. -- This message was sent by Atlassian JIRA (v6.4.14#64029)