JohnOmernik commented on pull request #2162: URL: https://github.com/apache/drill/pull/2162#issuecomment-775176615
So, I didn't review all the code (and that wouldn't be effective review anyhow). I did hone in on the markdown doc at 164 docs/dev/PluginCredentialsProvider.md <https://github.com/apache/drill/pull/2162/files#diff-f46bd001ba51b40d94a6988bbcb2e16357e4c423da3b8e681073f9b100aadc55> Some comments: - I like the plugin credentials provider. This is handy. - One challenge in drill may be that the user accessing the cluster may have very little control over many of the ways the credentials are provided. For example: - HadoopCredentialsProvider: How are credentials provided by a "user" here. Not the "admin" who started the cluster (the core-site.xml would need to be edited by the user. How do we handle different users connecting? - EnvCredentialsProvider: How does a user provide environmental variables if they are connecting via ODBC, JDBC, Rest API? Even SQLLine running remotely may not work here, correct? - VaultCredentialProvider: I like this, however, as above, how does a USER provider a vault location and token? If it's in the drill-override.conf, how will a user specify this information separate from a different user? Is there a way for Drill to provide an interface to store vault tokens that can be unlocked via user authentication?. I know this is messy, but essentially you have to have the User Tell Drill I am who I say I am, and then you need Drill, once it verifies this, to be able to access the vault on behalf of the authenticated user in order to get passwords for various data stores. This all must be done security, and ideally in a way that is simple for the user. That's my first thought as of now, let me know if my rambling doesn't make as much sense typed out as it does in my head. John On Sat, Feb 6, 2021 at 5:56 PM Charles S. Givre <[email protected]> wrote: > @JohnOmernik <https://github.com/JohnOmernik> > Could you take a look at this PR? > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > <https://github.com/apache/drill/pull/2162#issuecomment-774562189>, or > unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAOXGUOEV5RTHSLV6YZEPGLS5XJJRANCNFSM4XGXCLSQ> > . > ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
