[ https://issues.apache.org/jira/browse/DRILL-8155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17524709#comment-17524709 ]
ASF GitHub Bot commented on DRILL-8155: --------------------------------------- lgtm-com[bot] commented on PR #2516: URL: https://github.com/apache/drill/pull/2516#issuecomment-1103457982 This pull request **introduces 2 alerts** when merging 861b1585216a384f2a6f232944fa4c9814e70691 into fd836a2a6e933c294a53271f7e9b6ba3fea7cc8d - [view on LGTM.com](https://lgtm.com/projects/g/apache/drill/rev/pr-655f1b5b213873cb902377487e1e2240447b8b7d) **new alerts:** * 1 for Use of externally\-controlled format string * 1 for Dereferenced variable may be null > Introduce new plugin authentication modes > ----------------------------------------- > > Key: DRILL-8155 > URL: https://issues.apache.org/jira/browse/DRILL-8155 > Project: Apache Drill > Issue Type: Improvement > Components: Security > Affects Versions: 1.20.0 > Reporter: Charles Givre > Assignee: Charles Givre > Priority: Major > Fix For: Future > > > At present, Drill storage plugins can use a shared set of credentials to > access storage on behalf of Drill users or, in a subset of cases belonging to > the broader Hadoop family, they can impersonate the Drill user when > drill.exec.impersonation.enabled = true. An important but missing auth mode > is [what is termed "user translation" in > Trino|[https://docs.starburst.io/latest/security/impersonation.html].] Under > user translation, the active Drill user is translated to a user known to the > external storage by means of a translation table that associates Drill users > with their credentials for the external storage. No support for user > impersonation in the external storage is required in this mode. This ticket > proposes that we add establish a design pattern that adds support for this > auth mode to Drill storage plugins. > Another present day limitation is that impersonation, for the plugins that > support it, is toggled by a global switch. We propose here that the auth > mode chosen for a plugin should be independent of the auth modes chosen for > other plugins, by a move of this option into their respective storage configs. > Finally, while a standardised means of choosing an authentication mode is > desired, note that not every storage plugin needs to, or can, support every > mode. -- This message was sent by Atlassian Jira (v8.20.7#820007)