[
https://issues.apache.org/jira/browse/IMPALA-7052?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Armstrong resolved IMPALA-7052.
-----------------------------------
Resolution: Duplicate
> Impersonate the real user in reading/writing HDFS
> -------------------------------------------------
>
> Key: IMPALA-7052
> URL: https://issues.apache.org/jira/browse/IMPALA-7052
> Project: IMPALA
> Issue Type: New Feature
> Components: Backend, Security
> Reporter: Quanlong Huang
> Priority: Major
>
> Currently, FileMetadata is loaded by catalogd using the process's username
> which is usually "impala". We judge the authorization using Sentry after the
> metadata is loaded. However, in the backend, when reading/writing HDFS, we
> still using the process's username but not the query's username (the real
> user).
> In a Hadoop cluster without Sentry, it may only use ACLs for authorization.
> Our behavior prevents it to work correctly since the real username is not
> used in reading/writing HDFS.
> We should provide a server level option for admins to decide whether to
> enable impersonation in Backend. If so, propagate the real username to
> RequestRange and impersonate the real user.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
