Superusers are a little more than "allowed to impersonate others". I don't remember exactly what are the things that it allows, but it would be better to add finer grained permissions.
On Mon, Jun 25, 2018 at 6:30 PM, Saisai Shao <sai.sai.s...@gmail.com> wrote: > Yes, has a configuration "livy.superusers". Here in this case, the sql > server user should be added as a superuser, who can impersonate other > different users. > > Marcelo Vanzin <van...@cloudera.com.invalid> 于2018年6月26日周二 上午9:12写道: > >> You're talking about another service between the user and the application. >> >> In that case a parameter probably makes sense. But then you'd need to >> add those config options, because this is a dangerous feature, and >> Livy should know who is allowed to impersonate who. In this case the >> service needs to authenticate to Livy as a privileged user, and Livy's >> configuration would say that the service's user is allowed to >> impersonate certain users or groups (same as the other services that >> allow impersonation like YARN). >> >> >> On Mon, Jun 25, 2018 at 5:41 PM, Takeshi Yamamuro <linguin....@gmail.com> >> wrote: >> > Yea, I know the Livy supports impersonation. >> > I assume a case blow >> > [different users] ---Some protocols---> [the server applications managing >> > multiple sessions for users] ---REST---> [Livy server] >> > In this case, Livy already has a way to pass proxyUser from the >> application >> > to Livy? >> > Sorry, but I'm not familiar with Livy internal logic. >> > >> > >> > On Tue, Jun 26, 2018 at 9:14 AM Marcelo Vanzin >> <van...@cloudera.com.invalid> >> > wrote: >> > >> >> On Mon, Jun 25, 2018 at 5:09 PM, Takeshi Yamamuro < >> linguin....@gmail.com> >> >> wrote: >> >> > In that case, I think Livy is useful; the application can pass >> proxyUser >> >> to >> >> > build LivyClient for each user >> >> > and run spark queries as each user authorization. >> >> >> >> But Livy already supports impersonation. It can impersonate the >> >> authenticated user. >> >> >> >> You're suggesting adding a parameter so the user can request >> >> impersonation of some specific user, which is a different thing. What >> >> is the use case for that? >> >> >> >> -- >> >> Marcelo >> >> >> > >> > >> > -- >> > --- >> > Takeshi Yamamuro >> >> >> >> -- >> Marcelo >> -- Marcelo
