Quanlong Huang created IMPALA-7052:
--------------------------------------
Summary: Impersonate the real user in reading/writing HDFS
Key: IMPALA-7052
URL: https://issues.apache.org/jira/browse/IMPALA-7052
Project: IMPALA
Issue Type: New Feature
Components: Backend, Security
Reporter: Quanlong Huang
Currently, FileMetadata is loaded by catalogd using the process's username
which is usually "impala". We judge the authorization using Sentry after the
metadata is loaded. However, in the backend, when reading/writing HDFS, we
still using the process's username but not the query's username (the real user).
In a Hadoop cluster without Sentry, it may only use ACLs for authorization. Our
behavior prevents it to work correctly since the real username is not used in
reading/writing HDFS.
We should provide a server level option for admins to decide whether to enable
impersonation in Backend. If so, propagate the real username to RequestRange
and impersonate the real user.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
