[ https://issues.apache.org/jira/browse/IMPALA-7222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Work on IMPALA-7222 started by Alex Rodoni. ------------------------------------------- > [DOCS] authorization_proxy_user_config needs clarification > ---------------------------------------------------------- > > Key: IMPALA-7222 > URL: https://issues.apache.org/jira/browse/IMPALA-7222 > Project: IMPALA > Issue Type: Bug > Components: Docs > Reporter: Zsombor Fedor > Assignee: Alex Rodoni > Priority: Minor > > Please refer to the following Impala documentation: > [https://impala.apache.org/docs/build3x/html/topics/impala_delegation.html] > > The following clarifications needed for better understanding: > When using this option --authorized_proxy_user_config= 'user1=user2' : > * authentication is happening based on the user on the left hand side > (_user1_) > * authorization is happening based on the right hand side user(s) (_user2_) > * you can list the users to enable the delegation for them using the > delimiter stated in authorized_proxy_user_config_delimiter switch (default: > ",") eg.: _user1_=_user2_,_user3_,_user4_ or enable for any user by *. More > entries delimited by ";" (_user1_=_user2_;_user3_=_user4_) > * it is not straightforward (at least it wasn't for me) that the delegation > doesn't happen automatically when connecting with _user1,_ the client must be > able to provide delegated username when opening the session (via > "DelegationUID"). ((_user2_ in this case)) > * it is not necessary for _user1_ to have the permission to access/edit files > * it is not necessary for _user2_ to have access to the service via Kerberos > * delegated username must exist in the OS to be able to match the permissions > * in Impala user() will be _user1_ and effective_user() will be _user2_ > * {color:#000000}it is a security matter in the client to prevent > unauthorized access for the delegate-able users{color} > > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org For additional commands, e-mail: issues-all-h...@impala.apache.org