You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2016/03/02 01:32:18 UTC

[jira] [Commented] (DRILL-4281) Drill should support inbound impersonation

    [ https://issues.apache.org/jira/browse/DRILL-4281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15174702#comment-15174702 ] 

ASF GitHub Bot commented on DRILL-4281:
---------------------------------------

GitHub user sudheeshkatkam opened a pull request:

    https://github.com/apache/drill/pull/400

    DRILL-4281: Support authorized users to delegate for other users

    + Need to make changes to [sqlline](https://github.com/mapr/sqlline) to pass down _delegator_ connection property.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/sudheeshkatkam/drill DRILL-4281

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/drill/pull/400.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #400
    
----
commit b27d7421e73b504773b24c205f06aa0f98bd0bb6
Author: Sudheesh Katkam <sk...@maprtech.com>
Date:   2016-03-02T00:23:57Z

    DRILL-4281: Support authorized users to delegate for other users

----


> Drill should support inbound impersonation
> ------------------------------------------
>
>                 Key: DRILL-4281
>                 URL: https://issues.apache.org/jira/browse/DRILL-4281
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Keys Botzum
>            Assignee: Sudheesh Katkam
>              Labels: doc-impacting, security
>
> Today Drill supports impersonation *to* external sources. For example I can authenticate to Drill as myself and then Drill will access HDFS using impersonation
> In many scenarios we also need impersonation to Drill. For example I might use some front end tool (such as Tableau) and authenticate to it as myself. That tool (server version) then needs to access Drill to perform queries and I want those queries to run as myself, not as the Tableau user. While in theory the intermediate tool could store the userid & password for every user to the Drill this isn't a scalable or very secure solution.
> Note that HS2 today does support inbound impersonation as described here:  https://issues.apache.org/jira/browse/HIVE-5155 
> The above is not the best approach as it is tied to the connection object which is very coarse grained and potentially expensive. It would be better if there was a call on the ODBC/JDBC driver to switch the identity on a existing connection. Most modern SQL databases (Oracle, DB2) support such function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)