Abhishek created RANGER-4797:
--------------------------------
Summary: Impersonate access type may not be required for trino
policies other than trinouser resource type
Key: RANGER-4797
URL: https://issues.apache.org/jira/browse/RANGER-4797
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Abhishek
Assignee: Pradeep Agrawal
In the Trino policies containing "trinouser" as the resource type, the usecase
is whatever users are specified in the "trinouser" resource type can be
impersonated by users listed in the allow policy items.
For e.g, consider a policy
resource : trinouser : hrt_qa
allow policy items : user - trino, access - impersonate
In the above policy, the trino user can run the command "SET SESSION
AUTHORIZATION hrt_qa;", and the query should work.
The impersonate access type is also being used to view the query owned by other
users and kill queries triggered by other users, in such cases, the
authorisation is only checked against the"trinouser" resource.
However, the "Impersonate" access type is also being listed in other trino
resource based policies like "catalog", "schema", "table", etc.
This access type may not be required in such policies
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
