[jira] [Comment Edited] (RANGER-1850) Impersonation/proxy user support for gaiandb ranger plugin

Fri, 05 Jan 2018 02:22:13 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-1850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16312868#comment-16312868
 ] 

David Radley edited comment on RANGER-1850 at 1/5/18 10:21 AM:
---------------------------------------------------------------

[~jonesn] It might be safer to fail the authentication if proxy user and 
password properties were set but failed to authenticate; rather than try 
authenticating with the regular userid. I think this honours the authorization 
intent. 
I am unsure what the create schema flag does - I suggest a comment. It seems 
strange we should create a schema on a query - or have I missed something. 

I am unsure how the code fits with the docs. I get the impression Gdb would 
also need to amend say an Oracle query to add in Ernie. Does GaianDb do this as 
is?    



was (Author: davidrad):
[~jonesn] It might be safer to fail the authentication if proxy user and 
password properties were set but failed to authenticate; rather than try 
authenticating with the regular userid. I think this honours the authorization 
intent. 
I am unsure what the create schema flag does - I suggest a comment. It seems 
strange we should create a schema on a query - or have I missed something. 

> Impersonation/proxy user support for gaiandb ranger plugin
> ----------------------------------------------------------
>
>                 Key: RANGER-1850
>                 URL: https://issues.apache.org/jira/browse/RANGER-1850
>             Project: Ranger
>          Issue Type: Sub-task
>          Components: plugins
>            Reporter: Nigel Jones
>         Attachments: GaianDBAuth.docx
>
>
> Applications/users could connect to gaianDB using their own authentication 
> information - for example userid/password in the simple case. Here the ranger 
> plugin will use that id for policy checks.
> However in a multi tiered architecture a service id (aka non personal 
> account) may be used, and somehow the user to be impersonated is passed via 
> an additional property. This has a number of implications to the system 
> configuration, derby/gaiandb configuration & the plugin implementation. 
> Opening this Jira as a placeholder and will add a document soon (++days) on 
> the same to capture some of the discussion around this area in recent days.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to