Hello all, One of the issues we've been dancing around is having per-user access controls in Drill. As Drill was originally built around the Hadoop ecosystem, the Hadoop based connections make use of user-impersonation for per user access controls. However, a rather glaring deficiency is the lack of per-user access controls for connections like JDBC, Mongo, Splunk etc.
Recently when I was working on OAuth pull request, it occurred to me that we might be able to slightly extend the credential provider interface to allow for per-user credentials. Here's what I was thinking... A bit of background: The credential provider interface is really an abstraction for a HashMap. Here's my proposal.... The cred provider interface would store two hashmaps, one for per-user creds and one for global creds. When a user is authenticated to Drill, when they create a storage plugin connection, the credential provider would associate the creds with their Drill username. The storage plugins that use credential provider would thus get per-user credentials. If users did not want per-user credentials, they could simply use direct credentials OR use specify that in the credential provider classes. What do you think? Best, -- C
