> You're talking about another service between the user and the application. yes, I pointed out the case.
> In that case a parameter probably makes sense. But then you'd need to > add those config options, .... yea, I see. Currently, any approach to avoid the dangerous case for the service? I think we can't control who is allowed to impersonate who in the Livy side. Or , In Livy, the use-case I pointed out is out-of-scope? On Tue, Jun 26, 2018 at 10:12 AM Marcelo Vanzin <van...@cloudera.com.invalid> wrote: > You're talking about another service between the user and the application. > > In that case a parameter probably makes sense. But then you'd need to > add those config options, because this is a dangerous feature, and > Livy should know who is allowed to impersonate who. In this case the > service needs to authenticate to Livy as a privileged user, and Livy's > configuration would say that the service's user is allowed to > impersonate certain users or groups (same as the other services that > allow impersonation like YARN). > > > On Mon, Jun 25, 2018 at 5:41 PM, Takeshi Yamamuro <linguin....@gmail.com> > wrote: > > Yea, I know the Livy supports impersonation. > > I assume a case blow > > [different users] ---Some protocols---> [the server applications managing > > multiple sessions for users] ---REST---> [Livy server] > > In this case, Livy already has a way to pass proxyUser from the > application > > to Livy? > > Sorry, but I'm not familiar with Livy internal logic. > > > > > > On Tue, Jun 26, 2018 at 9:14 AM Marcelo Vanzin > <van...@cloudera.com.invalid> > > wrote: > > > >> On Mon, Jun 25, 2018 at 5:09 PM, Takeshi Yamamuro < > linguin....@gmail.com> > >> wrote: > >> > In that case, I think Livy is useful; the application can pass > proxyUser > >> to > >> > build LivyClient for each user > >> > and run spark queries as each user authorization. > >> > >> But Livy already supports impersonation. It can impersonate the > >> authenticated user. > >> > >> You're suggesting adding a parameter so the user can request > >> impersonation of some specific user, which is a different thing. What > >> is the use case for that? > >> > >> -- > >> Marcelo > >> > > > > > > -- > > --- > > Takeshi Yamamuro > > > > -- > Marcelo > -- --- Takeshi Yamamuro
