[
https://issues.apache.org/jira/browse/RANGER-1850?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16313029#comment-16313029
]
David Radley commented on RANGER-1850:
--------------------------------------
Thanks [~jonesn]
So we have the userid Ernie coming in , the NPA GaianDb is used to authenticate
it using the plugin. This gives the user access to all the GaianDB data
sources, which may have connections defined with other credentials. Are we also
making the assumption / assertion that all credentials defined by Gaian DB
associated with data sources must be the NPA credentials.
I assume this means that in this scenario, any caller to GaianDB must have
access to the encrypted NPA credentials.
> Impersonation/proxy user support for gaiandb ranger plugin
> ----------------------------------------------------------
>
> Key: RANGER-1850
> URL: https://issues.apache.org/jira/browse/RANGER-1850
> Project: Ranger
> Issue Type: Sub-task
> Components: plugins
> Reporter: Nigel Jones
> Attachments: GaianDBAuth.docx
>
>
> Applications/users could connect to gaianDB using their own authentication
> information - for example userid/password in the simple case. Here the ranger
> plugin will use that id for policy checks.
> However in a multi tiered architecture a service id (aka non personal
> account) may be used, and somehow the user to be impersonated is passed via
> an additional property. This has a number of implications to the system
> configuration, derby/gaiandb configuration & the plugin implementation.
> Opening this Jira as a placeholder and will add a document soon (++days) on
> the same to capture some of the discussion around this area in recent days.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
