You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2019/08/06 04:19:00 UTC

[jira] [Commented] (IMPALA-8828) Support impersonation via http paths

    [ https://issues.apache.org/jira/browse/IMPALA-8828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16900604#comment-16900604 ] 

ASF subversion and git services commented on IMPALA-8828:
---------------------------------------------------------

Commit bbe064ec194aff4ecf1e794bd4071df4ea4be166 in impala's branch refs/heads/master from Thomas Tauber-Marshall
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=bbe064e ]

IMPALA-8828: Support impersonation via http paths

This patch allows clients that connect over the HTTP server to specify
the 'doAs' parameter in the provided path in order to perform
impersonation.

The existing rules for impersonation are applied, i.e.
authorized_proxy_user_config or authorized_proxy_group_config must be
set with the appropriate values for impersonation to be successful.

Testing:
- Added a FE test that verifies impersonation works as expected with
  impala-shell and ldap.
- Manually tested with Apache Knox.

Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6
Reviewed-on: http://gerrit.cloudera.org:8080/13994
Reviewed-by: Impala Public Jenkins <im...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Support impersonation via http paths
> ------------------------------------
>
>                 Key: IMPALA-8828
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8828
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Clients
>    Affects Versions: Impala 3.3.0
>            Reporter: Thomas Tauber-Marshall
>            Assignee: Thomas Tauber-Marshall
>            Priority: Major
>              Labels: security
>
> When clients connect over http, we should allow them to perform impersonation via the 'doAs' parameter, eg. by specifying a path of the form '/?doAs=<username>'
> This is useful for example for Apache Knox, which proxies connections to Impala and authenticates as itself via Kerberos but runs queries as other users.
> We can leverage the existing support for impersonation, eg. knox would have to be included in 'authorized_proxy_user_config' to be able to do the impersonation



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org