[ https://issues.apache.org/jira/browse/DRILL-4281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15179082#comment-15179082 ]
ASF GitHub Bot commented on DRILL-4281: --------------------------------------- Github user jacques-n commented on a diff in the pull request: https://github.com/apache/drill/pull/400#discussion_r54977126 --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/util/UserDelegationUtil.java --- @@ -0,0 +1,147 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p/> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p/> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.drill.exec.util; + +import com.fasterxml.jackson.core.JsonGenerator; +import com.fasterxml.jackson.core.JsonParser; +import com.fasterxml.jackson.core.type.TypeReference; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.common.collect.Sets; +import org.apache.drill.common.exceptions.UserException; +import org.apache.drill.exec.server.options.OptionValue; +import org.apache.drill.exec.server.options.TypeValidators; +import org.apache.hadoop.security.UserGroupInformation; + +import java.io.IOException; +import java.util.List; +import java.util.Set; + +/** + * Utilities for user delegation purpose. + */ +public class UserDelegationUtil { + private static final org.slf4j.Logger logger = org.slf4j.LoggerFactory.getLogger(UserDelegationUtil.class); + + private static final String STAR = "*"; + + private static final ObjectMapper delegationDefinitionsMapper = new ObjectMapper(); + + static { + delegationDefinitionsMapper.configure(JsonGenerator.Feature.QUOTE_FIELD_NAMES, false); + delegationDefinitionsMapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES, true); + } + + private static class DelegationDefinition { + public UserGroupDefinition delegates = new UserGroupDefinition(); + public UserGroupDefinition delegators = new UserGroupDefinition(); + } + + private static class UserGroupDefinition { + public Set<String> users = Sets.newHashSet(); + public Set<String> groups = Sets.newHashSet(); + } + + /** + * Deserialize delegation definitions string to a list of delegation definition objects. + * + * @param delegationDefinitions delegation definitions as a sting + * @return delegation definitions as a list of objects + * @throws IOException + */ + public static List<DelegationDefinition> deserializeDelegationDefinitions(final String delegationDefinitions) + throws IOException { + return delegationDefinitionsMapper.readValue(delegationDefinitions, + new TypeReference<List<DelegationDefinition>>() {}); + } + + /** + * Validator for delegation definitions. + */ + public static class DelegationDefinitionsValidator extends TypeValidators.AdminOptionValidator { + + public DelegationDefinitionsValidator(String name, String def) { + super(name, def); + } + + @Override + public void validate(OptionValue v) { + super.validate(v); + + final List<DelegationDefinition> definitions; + try { + definitions = deserializeDelegationDefinitions(v.string_val); + } catch (final IOException e) { + throw UserException.validationError() + .message("Invalid delegation definition.\nDetails: %s", e.getMessage()) + .build(logger); + } + + for (final DelegationDefinition definition : definitions) { + if (definition.delegates.users.contains(STAR) || + definition.delegates.groups.contains(STAR)) { + throw UserException.validationError() + .message("No wildcard delegates allowed.") + .build(logger); + } + } + } + } + + /** + * Check if the given delegate is authorized to delegate for the delegator based on the delegation definitions. + * + * @param delegateName delegate name + * @param delegatorName delegator name + * @param delegationDefinitions valid delegation definitions + * @return true iff delegate is authorized to delegate for the delegator + */ + public static boolean hasDelegationPrivileges(final String delegateName, final String delegatorName, + final String delegationDefinitions) throws IOException { + final List<DelegationDefinition> definitions; + try { + definitions = deserializeDelegationDefinitions(delegationDefinitions); --- End diff -- I think we should avoid constant repetitive deserialization. We can simply check if the string changed and if it did, reset the representation. Thoughts? > Drill should support inbound impersonation > ------------------------------------------ > > Key: DRILL-4281 > URL: https://issues.apache.org/jira/browse/DRILL-4281 > Project: Apache Drill > Issue Type: Improvement > Reporter: Keys Botzum > Assignee: Sudheesh Katkam > Labels: doc-impacting, security > > Today Drill supports impersonation *to* external sources. For example I can > authenticate to Drill as myself and then Drill will access HDFS using > impersonation > In many scenarios we also need impersonation to Drill. For example I might > use some front end tool (such as Tableau) and authenticate to it as myself. > That tool (server version) then needs to access Drill to perform queries and > I want those queries to run as myself, not as the Tableau user. While in > theory the intermediate tool could store the userid & password for every user > to the Drill this isn't a scalable or very secure solution. > Note that HS2 today does support inbound impersonation as described here: > https://issues.apache.org/jira/browse/HIVE-5155 > The above is not the best approach as it is tied to the connection object > which is very coarse grained and potentially expensive. It would be better if > there was a call on the ODBC/JDBC driver to switch the identity on a existing > connection. Most modern SQL databases (Oracle, DB2) support such function. -- This message was sent by Atlassian JIRA (v6.3.4#6332)