You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@impala.apache.org by "Tim Armstrong (Jira)" <ji...@apache.org> on 2020/12/23 21:46:00 UTC
[jira] [Resolved] (IMPALA-7052) Impersonate the real user in
reading/writing HDFS
[ https://issues.apache.org/jira/browse/IMPALA-7052?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Armstrong resolved IMPALA-7052.
-----------------------------------
Resolution: Duplicate
> Impersonate the real user in reading/writing HDFS
> -------------------------------------------------
>
> Key: IMPALA-7052
> URL: https://issues.apache.org/jira/browse/IMPALA-7052
> Project: IMPALA
> Issue Type: New Feature
> Components: Backend, Security
> Reporter: Quanlong Huang
> Priority: Major
>
> Currently, FileMetadata is loaded by catalogd using the process's username which is usually "impala". We judge the authorization using Sentry after the metadata is loaded. However, in the backend, when reading/writing HDFS, we still using the process's username but not the query's username (the real user).
> In a Hadoop cluster without Sentry, it may only use ACLs for authorization. Our behavior prevents it to work correctly since the real username is not used in reading/writing HDFS.
> We should provide a server level option for admins to decide whether to enable impersonation in Backend. If so, propagate the real username to RequestRange and impersonate the real user.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)