[
https://issues.apache.org/jira/browse/DRILL-8155?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Turton updated DRILL-8155:
--------------------------------
Description:
At present, Drill storage plugins can use a shared set of credentials to access
storage on behalf of Drill users or, in a subset of cases belonging to the
broader Hadoop family, they can impersonate the Drill user when
drill.exec.impersonation.enabled = true. An important but missing auth mode is
[what is termed "user translation" in
Trino|[https://docs.starburst.io/latest/security/impersonation.html].] Under
user translation, the active Drill user is translated to a user known to the
external storage by means of a translation table that associates Drill users
with their credentials for the external storage. No support for user
impersonation in the external storage is required in this mode. This ticket
proposes that we add establish a design pattern that adds support for this auth
mode to Drill storage plugins.
Another present day limitation is that impersonation, for the plugins that
support it, is toggled by a global switch. We propose here that the auth mode
chosen for a plugin should be indedependent of the auth modes chosen for other
plugins, by a move of this option into their respective storage configs.
Finally, while a standardised means of choosing an authentication mode is
desired, note that not every storage plugin needs to, or can, support every
mode.
was:
At present, Drill storage plugins can use a shared set of credentials to access
storage on behalf of Drill users or, in a subset of cases belonging to the
broader Hadoop family, they can impersonate the Drill user when
drill.exec.impersonation.enabled = true. An important but missing auth mode is
[what is termed "user translation" in
Trino|[https://docs.starburst.io/latest/security/impersonation.html].] Under
user translation, the active Drill user is translated to a user known to the
external storage by means of a translation table that associates Drill users
with their credentials for the external storage. No support for user
impersonation in the external storage is required in this mode. This ticket
proposes that we add establish a design pattern that adds support for this auth
mode to Drill storage plugins.
Another present day limitation is that impersonation, for the plugins that
support it, is toggled by a global switch. We propose here that the auth mode
chosen for a plugin should be indendependent of the auth modes chosen for other
plugins, by a move of this option into their respective storage configs.
Finally, while a standardised means of choosing an authentication mode is
desired, note that not every storage plugin needs to, or can, support every
mode.
> Introduce new plugin authentication modes
> -----------------------------------------
>
> Key: DRILL-8155
> URL: https://issues.apache.org/jira/browse/DRILL-8155
> Project: Apache Drill
> Issue Type: Improvement
> Components: Security
> Affects Versions: 1.20.0
> Reporter: Charles Givre
> Assignee: Charles Givre
> Priority: Major
> Fix For: Future
>
>
> At present, Drill storage plugins can use a shared set of credentials to
> access storage on behalf of Drill users or, in a subset of cases belonging to
> the broader Hadoop family, they can impersonate the Drill user when
> drill.exec.impersonation.enabled = true. An important but missing auth mode
> is [what is termed "user translation" in
> Trino|[https://docs.starburst.io/latest/security/impersonation.html].] Under
> user translation, the active Drill user is translated to a user known to the
> external storage by means of a translation table that associates Drill users
> with their credentials for the external storage. No support for user
> impersonation in the external storage is required in this mode. This ticket
> proposes that we add establish a design pattern that adds support for this
> auth mode to Drill storage plugins.
> Another present day limitation is that impersonation, for the plugins that
> support it, is toggled by a global switch. We propose here that the auth
> mode chosen for a plugin should be indedependent of the auth modes chosen for
> other plugins, by a move of this option into their respective storage configs.
> Finally, while a standardised means of choosing an authentication mode is
> desired, note that not every storage plugin needs to, or can, support every
> mode.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
