[
https://issues.apache.org/jira/browse/HAWQ-1089?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alastair "Bell" Turner updated HAWQ-1089:
-----------------------------------------
Description:
HAWQ currently implements the Postgres SET ROLE and SET SESSION constructs
which can overwrite the session_user and current_user environment variables.
This allows the a superuser (gpadmin) to change the visible user identity.
If these changeable identities are passed down for impersonation then it
invalidates some of the security benefits that user impersonation is supposed
to provide.
Changing the current SET ROLE and SET SESSION behaviour would have knock on
effects for the security model for executing functions.
The least intrusive route to having reliable user identity information to pass
down is exposing the oringially authorised user and authorisation method (as
defined in pg_hba) as read-only session variables (maybe called auth_user and
auth_method?) in the session.
was:
HAWQ currently implements the Postgres SET ROLE and SET SESSION constructs
which can overwrite the session_user and current_user environment variables.
This allows the a superuser (gpadmin) to change the visible user identity.
If these changeable identities are passed down for impersonation then it
invalidates some of the security benefits that user impersonation is supposed
to provide.
Changing the current SET ROLE and SET SESSION behaviour would have knock on
effects for the security model for executing functions.
The least intrusive route to having reliable user identity information to pass
down is exposing the oringially authorised user and authorisation method (as
defined in pg_hba) as read-only environment variables (maybe called auth_user
and auth_method?) in the session.
> Implement trustworthy user identity session variables
> -----------------------------------------------------
>
> Key: HAWQ-1089
> URL: https://issues.apache.org/jira/browse/HAWQ-1089
> Project: Apache HAWQ
> Issue Type: Sub-task
> Components: Security
> Reporter: Alastair "Bell" Turner
> Assignee: Lei Chang
> Fix For: backlog
>
>
> HAWQ currently implements the Postgres SET ROLE and SET SESSION constructs
> which can overwrite the session_user and current_user environment variables.
> This allows the a superuser (gpadmin) to change the visible user identity.
> If these changeable identities are passed down for impersonation then it
> invalidates some of the security benefits that user impersonation is supposed
> to provide.
> Changing the current SET ROLE and SET SESSION behaviour would have knock on
> effects for the security model for executing functions.
> The least intrusive route to having reliable user identity information to
> pass down is exposing the oringially authorised user and authorisation method
> (as defined in pg_hba) as read-only session variables (maybe called auth_user
> and auth_method?) in the session.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
