[jira] [Commented] (IMPALA-8828) Support impersonation via http paths

Mon, 05 Aug 2019 21:19:22 -0700 


    [ 
https://issues.apache.org/jira/browse/IMPALA-8828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16900604#comment-16900604
 ] 

ASF subversion and git services commented on IMPALA-8828:
---------------------------------------------------------

Commit bbe064ec194aff4ecf1e794bd4071df4ea4be166 in impala's branch 
refs/heads/master from Thomas Tauber-Marshall
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=bbe064e ]

IMPALA-8828: Support impersonation via http paths

This patch allows clients that connect over the HTTP server to specify
the 'doAs' parameter in the provided path in order to perform
impersonation.

The existing rules for impersonation are applied, i.e.
authorized_proxy_user_config or authorized_proxy_group_config must be
set with the appropriate values for impersonation to be successful.

Testing:
- Added a FE test that verifies impersonation works as expected with
  impala-shell and ldap.
- Manually tested with Apache Knox.

Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6
Reviewed-on: http://gerrit.cloudera.org:8080/13994
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>


> Support impersonation via http paths
> ------------------------------------
>
>                 Key: IMPALA-8828
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8828
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Clients
>    Affects Versions: Impala 3.3.0
>            Reporter: Thomas Tauber-Marshall
>            Assignee: Thomas Tauber-Marshall
>            Priority: Major
>              Labels: security
>
> When clients connect over http, we should allow them to perform impersonation 
> via the 'doAs' parameter, eg. by specifying a path of the form 
> '/?doAs=<username>'
> This is useful for example for Apache Knox, which proxies connections to 
> Impala and authenticates as itself via Kerberos but runs queries as other 
> users.
> We can leverage the existing support for impersonation, eg. knox would have 
> to be included in 'authorized_proxy_user_config' to be able to do the 
> impersonation



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to