[jira] [Work started] (IMPALA-7222) [DOCS] authorization_proxy_user_config needs clarification

Thu, 26 Jul 2018 17:06:37 -0700 


     [ 
https://issues.apache.org/jira/browse/IMPALA-7222?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Work on IMPALA-7222 started by Alex Rodoni.
-------------------------------------------
> [DOCS] authorization_proxy_user_config needs clarification
> ----------------------------------------------------------
>
>                 Key: IMPALA-7222
>                 URL: https://issues.apache.org/jira/browse/IMPALA-7222
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Docs
>            Reporter: Zsombor Fedor
>            Assignee: Alex Rodoni
>            Priority: Minor
>
> Please refer to the following Impala documentation:
> [https://impala.apache.org/docs/build3x/html/topics/impala_delegation.html]
>  
> The following clarifications needed for better understanding:
> When using this option --authorized_proxy_user_config= 'user1=user2' :
>  * authentication is happening based on the user on the left hand side 
> (_user1_)
>  * authorization is happening based on the right hand side user(s) (_user2_)
>  * you can list the users to enable the delegation for them using the 
> delimiter stated in authorized_proxy_user_config_delimiter switch (default: 
> ",") eg.: _user1_=_user2_,_user3_,_user4_ or enable for any user by *. More 
> entries delimited by ";" (_user1_=_user2_;_user3_=_user4_)
>  * it is not straightforward (at least it wasn't for me) that the delegation 
> doesn't happen automatically when connecting with _user1,_ the client must be 
> able to provide delegated username when opening the session (via 
> "DelegationUID"). ((_user2_ in this case))
>  * it is not necessary for _user1_ to have the permission to access/edit files
>  * it is not necessary for _user2_ to have access to the service via Kerberos
>  * delegated username must exist in the OS to be able to match the permissions
>  * in Impala user() will be _user1_ and effective_user() will be _user2_
>  * {color:#000000}it is a security matter in the client to prevent 
> unauthorized access for the delegate-able users{color}
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org

Reply via email to