[
https://issues.apache.org/jira/browse/IMPALA-7222?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16565667#comment-16565667
]
ASF subversion and git services commented on IMPALA-7222:
---------------------------------------------------------
Commit b95111094b70a060e145e61013559ba7f2e1799a in impala's branch
refs/heads/master from [~arodoni_cloudera]
[ https://git-wip-us.apache.org/repos/asf?p=impala.git;h=b951110 ]
IMPALA-7195 IMPALA-7222: [DOCS] Impala delegation with groups
Added clarifications about delegation.
Change-Id: I6948ab2ef9b82b123f7a1f4fdc83cfb06e9f912f
Reviewed-on: http://gerrit.cloudera.org:8080/11068
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Reviewed-by: Fredy Wijaya <fwij...@cloudera.com>
> [DOCS] authorization_proxy_user_config needs clarification
> ----------------------------------------------------------
>
> Key: IMPALA-7222
> URL: https://issues.apache.org/jira/browse/IMPALA-7222
> Project: IMPALA
> Issue Type: Bug
> Components: Docs
> Reporter: Zsombor Fedor
> Assignee: Alex Rodoni
> Priority: Minor
> Fix For: Impala 3.1.0
>
>
> Please refer to the following Impala documentation:
> [https://impala.apache.org/docs/build3x/html/topics/impala_delegation.html]
>
> The following clarifications needed for better understanding:
> When using this option --authorized_proxy_user_config= 'user1=user2' :
> * authentication is happening based on the user on the left hand side
> (_user1_)
> * authorization is happening based on the right hand side user(s) (_user2_)
> * you can list the users to enable the delegation for them using the
> delimiter stated in authorized_proxy_user_config_delimiter switch (default:
> ",") eg.: _user1_=_user2_,_user3_,_user4_ or enable for any user by *. More
> entries delimited by ";" (_user1_=_user2_;_user3_=_user4_)
> * it is not straightforward (at least it wasn't for me) that the delegation
> doesn't happen automatically when connecting with _user1,_ the client must be
> able to provide delegated username when opening the session (via
> "DelegationUID"). ((_user2_ in this case))
> * it is not necessary for _user1_ to have the permission to access/edit files
> * it is not necessary for _user2_ to have access to the service via Kerberos
> * delegated username must exist in the OS to be able to match the permissions
> * in Impala user() will be _user1_ and effective_user() will be _user2_
> * {color:#000000}it is a security matter in the client to prevent
> unauthorized access for the delegate-able users{color}
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
