Tristan Stevens created IMPALA-5552:
---------------------------------------
Summary: Proxy user list should support groups
Key: IMPALA-5552
URL: https://issues.apache.org/jira/browse/IMPALA-5552
Project: IMPALA
Issue Type: Improvement
Components: Frontend
Reporter: Tristan Stevens
Priority: Critical
The authorized_proxy_user_config takes a map of user->doAsUser* - i.e. user is
allowed to impersonate any users in the list of doAsUsers.
For enterprise deployments, this would be better specified as a list of groups,
rather than a a list of users:
user1->group*
When accepting a query, Impala will check that the doAs user is a member of any
of the list of groups specified for the connecting user.
HiveServer2 does this via Hadoop-level proxy user privileges (e.g.
{{<property>
<name>hadoop.proxyuser.user1.hosts</name>
<value>doAsUser1,doAsUser2</value>
</property>
<property>
<name>hadoop.proxyuser.user1.groups</name>
<value>doAsGroup1,doAsGroup2</value>
</property>}}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
