You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Zsombor Fedor (JIRA)" <ji...@apache.org> on 2018/06/29 09:03:00 UTC

[jira] [Created] (IMPALA-7222) [DOCS] authorization_proxy_user_config needs clarification

Zsombor Fedor created IMPALA-7222:
-------------------------------------

             Summary: [DOCS] authorization_proxy_user_config needs clarification
                 Key: IMPALA-7222
                 URL: https://issues.apache.org/jira/browse/IMPALA-7222
             Project: IMPALA
          Issue Type: Documentation
          Components: Docs
            Reporter: Zsombor Fedor


Please refer to the following Impala documentation:

[https://impala.apache.org/docs/build3x/html/topics/impala_delegation.html]

 

The following clarifications needed for better understanding:

When using this option --authorized_proxy_user_config= 'user1=user2' :
 * authentication is happening based on the user on the left hand side (_user1_)
 * authorization is happening based on the right hand side user(s) (_user2_)
 * you can list the users to enable the delegation for them using the delimiter stated in authorized_proxy_user_config_delimiter switch (default: ",") eg.: _user1_=_user2_,_user3_,_user4_ or enable for any user by *. More entries delimited by ";" (_user1_=_user2_;_user3_=_user4_)
 * it is not straightforward (at least it wasn't for me) that the delegation doesn't happen automatically when connecting with _user1,_ the client must be able to provide delegated username when opening the session (via "DelegationUID"). ((_user2_ in this case))
 * it is not necessary for _user1_ to have the permission to access/edit files
 * it is not necessary for _user2_ to have access to the service via Kerberos
 * delegated username must exist in the OS to be able to match the permissions
 * in Impala user() will be _user1_ and effective_user() will be _user2_
 * {color:#000000}it is a security matter in the client to prevent unauthorized access for the delegate-able users{color}
 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org