You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Tim Armstrong (Jira)" <ji...@apache.org> on 2020/12/23 21:46:00 UTC

[jira] [Resolved] (IMPALA-7052) Impersonate the real user in reading/writing HDFS

     [ https://issues.apache.org/jira/browse/IMPALA-7052?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tim Armstrong resolved IMPALA-7052.
-----------------------------------
    Resolution: Duplicate

> Impersonate the real user in reading/writing HDFS
> -------------------------------------------------
>
>                 Key: IMPALA-7052
>                 URL: https://issues.apache.org/jira/browse/IMPALA-7052
>             Project: IMPALA
>          Issue Type: New Feature
>          Components: Backend, Security
>            Reporter: Quanlong Huang
>            Priority: Major
>
> Currently, FileMetadata is loaded by catalogd using the process's username which is usually "impala". We judge the authorization using Sentry after the metadata is loaded. However, in the backend, when reading/writing HDFS, we still using the process's username but not the query's username (the real user).
> In a Hadoop cluster without Sentry, it may only use ACLs for authorization. Our behavior prevents it to work correctly since the real username is not used in reading/writing HDFS.
> We should provide a server level option for admins to decide whether to enable impersonation in Backend. If so, propagate the real username to RequestRange and impersonate the real user.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)