[jira] [Commented] (IMPALA-8828) Support impersonation via http paths

Tue, 06 Aug 2019 10:08:09 -0700 


    [ 
https://issues.apache.org/jira/browse/IMPALA-8828?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16901286#comment-16901286
 ] 

Thomas Tauber-Marshall commented on IMPALA-8828:
------------------------------------------------

Yes, in the places where it says that the delegated user can be set using the 
hiveserver2 property impala.doas.user we should add that clients that connect 
over the http interface can specify the 'doAs' parameter in the http path.

We should probably also document the Knox integration work in general. I think 
for now its fine to just mention in impala_authentication.html that we support 
proxying connections to Impala through Knox. We'll may eventually want to give 
it a full page explaining the whole process, but that's not very high priority 
at the moment (it doesn't even technically work yet, and once it does it should 
be pretty straight forward to set up once users follow Knox's own docs)

> Support impersonation via http paths
> ------------------------------------
>
>                 Key: IMPALA-8828
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8828
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Clients
>    Affects Versions: Impala 3.3.0
>            Reporter: Thomas Tauber-Marshall
>            Assignee: Thomas Tauber-Marshall
>            Priority: Major
>              Labels: security
>             Fix For: Impala 3.3.0
>
>
> When clients connect over http, we should allow them to perform impersonation 
> via the 'doAs' parameter, eg. by specifying a path of the form 
> '/?doAs=<username>'
> This is useful for example for Apache Knox, which proxies connections to 
> Impala and authenticates as itself via Kerberos but runs queries as other 
> users.
> We can leverage the existing support for impersonation, eg. knox would have 
> to be included in 'authorized_proxy_user_config' to be able to do the 
> impersonation



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to