Sudheesh, thanks for putting this together. Reviewing Oracle documentation, they expose this at the API level rather than through a random query. I think we should probably model after that rather than invent a new mechanism. This also means we can avoid things like query parsing, execution roundtrip, query profiles, etc to provide this functionality.
See here: https://docs.oracle.com/cd/B28359_01/java.111/b31224/proxya.htm#BABEJEIA -- Jacques Nadeau CTO and Co-Founder, Dremio On Fri, Feb 19, 2016 at 2:18 PM, Keys Botzum <[email protected]> wrote: > This is a great feature to add to Drill and I'm excited to see design on > it starting. > > The ability for an intermediate server that is likely already > authenticating end users, to send end user identity down to Drill adds a > key element into an end to end secure design by enabling Drill and the back > end systems to see the real user and thus perform meaningful authorization. > > Back when I was building many JEE applications I know the DBAs where very > frustrated that the application servers blinded them to the identity of the > end user accessing important corporate data. When JEE application servers > and databases finally added the ability to impersonate that addressed a lot > of security concerns. Of course this isn't a perfect solution and I'm sure > others will recognize that in some scenarios impersonation isn't the best > approach, but having that as an option in Drill is very valuable. > > Keys > _______________________________ > Keys Botzum > Senior Principal Technologist > [email protected] <mailto:[email protected]> > 443-718-0098 > MapR Technologies > http://www.mapr.com <http://www.mapr.com/> > > On Feb 19, 2016, at 4:49 PM, Sudheesh Katkam <[email protected]> > wrote: > > > > Hey y’all, > > > > I plan to work on DRILL-4281 < > https://issues.apache.org/jira/browse/DRILL-4281>: support for > inbound/client impersonation. Please review the design document < > https://docs.google.com/document/d/1g0KgugVdRbbIxxZrSCtO1PEHlvwczTLDb38k-npvwjA>, > which is open for comments. There is also a link to proof-of-concept > (slightly hacky). > > > > Thank you, > > Sudheesh > >
