[jira] [Commented] (DRILL-4281) Drill should support inbound impersonation

Thu, 03 Mar 2016 17:09:56 -0800 

    [ 
https://issues.apache.org/jira/browse/DRILL-4281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15179077#comment-15179077
 ] 

ASF GitHub Bot commented on DRILL-4281:
---------------------------------------

Github user jacques-n commented on a diff in the pull request:

    https://github.com/apache/drill/pull/400#discussion_r54976899
  
    --- Diff: 
exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/UserSession.java ---
    @@ -116,14 +137,38 @@ public OptionManager getOptions() {
         return sessionOptions;
       }
     
    -  public DrillUser getUser() {
    -    return user;
    -  }
    -
       public UserCredentials getCredentials() {
         return credentials;
       }
     
    +  /**
    +   * Replace current user credentials with the given user's credentials, 
if authorized.
    +   *
    +   * @param delegatorName delegator name
    +   * @throws DrillRuntimeException if credentials cannot be replaced
    +   */
    +  public void replaceUserCredentials(final String delegatorName) {
    +    assert enableDelegation;
    --- End diff --
    
    No need for assert, preconditions makes sure we get Exception instead of 
typically uncaptured Error subclass and this isn't perf sensitive.


> Drill should support inbound impersonation
> ------------------------------------------
>
>                 Key: DRILL-4281
>                 URL: https://issues.apache.org/jira/browse/DRILL-4281
>             Project: Apache Drill
>          Issue Type: Improvement
>            Reporter: Keys Botzum
>            Assignee: Sudheesh Katkam
>              Labels: doc-impacting, security
>
> Today Drill supports impersonation *to* external sources. For example I can 
> authenticate to Drill as myself and then Drill will access HDFS using 
> impersonation
> In many scenarios we also need impersonation to Drill. For example I might 
> use some front end tool (such as Tableau) and authenticate to it as myself. 
> That tool (server version) then needs to access Drill to perform queries and 
> I want those queries to run as myself, not as the Tableau user. While in 
> theory the intermediate tool could store the userid & password for every user 
> to the Drill this isn't a scalable or very secure solution.
> Note that HS2 today does support inbound impersonation as described here:  
> https://issues.apache.org/jira/browse/HIVE-5155 
> The above is not the best approach as it is tied to the connection object 
> which is very coarse grained and potentially expensive. It would be better if 
> there was a call on the ODBC/JDBC driver to switch the identity on a existing 
> connection. Most modern SQL databases (Oracle, DB2) support such function.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to