Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-8155

Introduce new plugin authentication modes



    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.20.0
    • 1.21.0
    • Security
    • None


      At present, Drill storage plugins can use a shared set of credentials to access storage on behalf of Drill users or, in a subset of cases belonging to the broader Hadoop family, they can impersonate the Drill user when drill.exec.impersonation.enabled = true.  An important but missing auth mode is [what is termed "user translation" in Trino|https://docs.starburst.io/latest/security/impersonation.html.]  Under user translation, the active Drill user is translated to a user known to the external storage by means of a translation table that associates Drill users with their credentials for the external storage.  No support for user impersonation in the external storage is required in this mode.  This ticket proposes that we add establish a design pattern that adds support for this auth mode to Drill storage plugins.

      Another present day limitation is that impersonation, for the plugins that support it, is toggled by a global switch.  We propose here that the auth mode chosen for a plugin should be independent of the auth modes chosen for other plugins, by a move of this option into their respective storage configs.

      Finally, while a standardised means of choosing an authentication mode is desired, note that not every storage plugin needs to, or can, support every mode.




            cgivre Charles Givre
            cgivre Charles Givre
            0 Vote for this issue
            2 Start watching this issue