Github user yufeldman commented on the pull request:
https://github.com/apache/drill/pull/400#issuecomment-192171659
Couple of general comments:
1. Since you are using Hadoop UGI it probably makes sense to be more
compliant with Hadoop auth definitions. Which are: "superuser" can proxy for
"user(s), group(s) and host(s)". May be adding group that can proxy is OK, but
it is not what is done in Hadoop world today.
-------------------------
hadoop.proxyuser.superuser.hosts comma separated hosts from
which superuser access are allowed to impersonation. * means wildcard.
hadoop.proxyuser.superuser.groups comma separated groups to which
users impersonated by superuser belongs. * means wildcard.
-------------------------
2. I think what we call here delegate/delegator is a true impersonation,
what we call "chained impersonation" is kind of opposite of impersonation as it
is increasing privileges versus restricting them.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
