[
https://issues.apache.org/jira/browse/RANGER-1850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16283345#comment-16283345
]
Nigel Jones commented on RANGER-1850:
-------------------------------------
I now have an initial version of this.....
Have added a proxy auth class to
https://github.com/planetf1/gaiandb-policy-ranger/tree/master/src/main/java/org/apache/gaiandb/security
This allows two additional parms to be passed on the URL - or in the properties
object.
proxy-user
proxy-pwd
These should be set to the NPA account - ie gaiandb/password. Then the EXISTING
'user' parm gets set to nigel, roger, ernie etc. A little glitch that password
has to be non null for now - but is ignored. If proxy auth fails, or those
parms aren't present, auth falls back to the existing gaiandb mechanism (which
itself falls back to the native derby authenticator).
By setting user to the 'real' user, the default schema is now 'jonesn' - which
I wanted since I think the most secure approach is to allow all of the existing
derby auth support to work as normal - the ONLY difference is really in how we
connect.. so queries need to be fully qualified ie 'select * from
gaiandb.vemployee'
The proxy auth forces additional properties 'create=true' on the connection as
otherwise derby will fail even with the fully qualified schema, if that schema
does not exist. (at least in the older version used in gaiandb)
Bottom line
- can now authenticate using gaiandb user/password (an NPA), and passing in
desired user
- can select from gaiandb virtual tables
- policy plugin gets invoked with correct user context
- any other db controls respected using the real user (but this area needs
very broad review post MVP)
- can also connect as a regular user
Need to figure out where to host this code. For now the update is in github as
previously
> Impersonation/proxy user support for gaiandb ranger plugin
> ----------------------------------------------------------
>
> Key: RANGER-1850
> URL: https://issues.apache.org/jira/browse/RANGER-1850
> Project: Ranger
> Issue Type: Sub-task
> Components: plugins
> Reporter: Nigel Jones
> Attachments: GaianDBAuth.docx
>
>
> Applications/users could connect to gaianDB using their own authentication
> information - for example userid/password in the simple case. Here the ranger
> plugin will use that id for policy checks.
> However in a multi tiered architecture a service id (aka non personal
> account) may be used, and somehow the user to be impersonated is passed via
> an additional property. This has a number of implications to the system
> configuration, derby/gaiandb configuration & the plugin implementation.
> Opening this Jira as a placeholder and will add a document soon (++days) on
> the same to capture some of the discussion around this area in recent days.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
