[
https://issues.apache.org/jira/browse/DRILL-4281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15179083#comment-15179083
]
ASF GitHub Bot commented on DRILL-4281:
---------------------------------------
Github user jacques-n commented on a diff in the pull request:
https://github.com/apache/drill/pull/400#discussion_r54977178
--- Diff:
exec/java-exec/src/main/java/org/apache/drill/exec/util/UserDelegationUtil.java
---
@@ -0,0 +1,147 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ * <p/>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p/>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.drill.exec.util;
+
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.google.common.collect.Sets;
+import org.apache.drill.common.exceptions.UserException;
+import org.apache.drill.exec.server.options.OptionValue;
+import org.apache.drill.exec.server.options.TypeValidators;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Utilities for user delegation purpose.
+ */
+public class UserDelegationUtil {
+ private static final org.slf4j.Logger logger =
org.slf4j.LoggerFactory.getLogger(UserDelegationUtil.class);
+
+ private static final String STAR = "*";
+
+ private static final ObjectMapper delegationDefinitionsMapper = new
ObjectMapper();
+
+ static {
+
delegationDefinitionsMapper.configure(JsonGenerator.Feature.QUOTE_FIELD_NAMES,
false);
+
delegationDefinitionsMapper.configure(JsonParser.Feature.ALLOW_UNQUOTED_FIELD_NAMES,
true);
+ }
+
+ private static class DelegationDefinition {
+ public UserGroupDefinition delegates = new UserGroupDefinition();
+ public UserGroupDefinition delegators = new UserGroupDefinition();
+ }
+
+ private static class UserGroupDefinition {
+ public Set<String> users = Sets.newHashSet();
+ public Set<String> groups = Sets.newHashSet();
+ }
+
+ /**
+ * Deserialize delegation definitions string to a list of delegation
definition objects.
+ *
+ * @param delegationDefinitions delegation definitions as a sting
+ * @return delegation definitions as a list of objects
+ * @throws IOException
+ */
+ public static List<DelegationDefinition>
deserializeDelegationDefinitions(final String delegationDefinitions)
+ throws IOException {
+ return delegationDefinitionsMapper.readValue(delegationDefinitions,
+ new TypeReference<List<DelegationDefinition>>() {});
+ }
+
+ /**
+ * Validator for delegation definitions.
+ */
+ public static class DelegationDefinitionsValidator extends
TypeValidators.AdminOptionValidator {
+
+ public DelegationDefinitionsValidator(String name, String def) {
+ super(name, def);
+ }
+
+ @Override
+ public void validate(OptionValue v) {
+ super.validate(v);
+
+ final List<DelegationDefinition> definitions;
+ try {
+ definitions = deserializeDelegationDefinitions(v.string_val);
+ } catch (final IOException e) {
+ throw UserException.validationError()
+ .message("Invalid delegation definition.\nDetails: %s",
e.getMessage())
+ .build(logger);
+ }
+
+ for (final DelegationDefinition definition : definitions) {
+ if (definition.delegates.users.contains(STAR) ||
+ definition.delegates.groups.contains(STAR)) {
+ throw UserException.validationError()
+ .message("No wildcard delegates allowed.")
+ .build(logger);
+ }
+ }
+ }
+ }
+
+ /**
+ * Check if the given delegate is authorized to delegate for the
delegator based on the delegation definitions.
+ *
+ * @param delegateName delegate name
+ * @param delegatorName delegator name
+ * @param delegationDefinitions valid delegation definitions
+ * @return true iff delegate is authorized to delegate for the delegator
+ */
+ public static boolean hasDelegationPrivileges(final String delegateName,
final String delegatorName,
+ final String
delegationDefinitions) throws IOException {
+ final List<DelegationDefinition> definitions;
+ try {
+ definitions =
deserializeDelegationDefinitions(delegationDefinitions);
+ } catch (final IOException up) {
+ // This never happens. delegationDefinitions must have been
validated.
+ logger.warn("Delegation definitions must have been validated.");
+ throw up;
+ }
+
+ final UserGroupInformation delegateUgi =
ImpersonationUtil.createProxyUgi(delegateName);
--- End diff --
@vkorukanti, can you review these ImpressionUtil usages?
> Drill should support inbound impersonation
> ------------------------------------------
>
> Key: DRILL-4281
> URL: https://issues.apache.org/jira/browse/DRILL-4281
> Project: Apache Drill
> Issue Type: Improvement
> Reporter: Keys Botzum
> Assignee: Sudheesh Katkam
> Labels: doc-impacting, security
>
> Today Drill supports impersonation *to* external sources. For example I can
> authenticate to Drill as myself and then Drill will access HDFS using
> impersonation
> In many scenarios we also need impersonation to Drill. For example I might
> use some front end tool (such as Tableau) and authenticate to it as myself.
> That tool (server version) then needs to access Drill to perform queries and
> I want those queries to run as myself, not as the Tableau user. While in
> theory the intermediate tool could store the userid & password for every user
> to the Drill this isn't a scalable or very secure solution.
> Note that HS2 today does support inbound impersonation as described here:
> https://issues.apache.org/jira/browse/HIVE-5155
> The above is not the best approach as it is tied to the connection object
> which is very coarse grained and potentially expensive. It would be better if
> there was a call on the ODBC/JDBC driver to switch the identity on a existing
> connection. Most modern SQL databases (Oracle, DB2) support such function.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
