Description
HAWQ currently implements the Postgres SET ROLE and SET SESSION constructs which can overwrite the session_user and current_user environment variables. This allows the a superuser (gpadmin) to change the visible user identity.
If these changeable identities are passed down for impersonation then it invalidates some of the security benefits that user impersonation is supposed to provide.
Changing the current SET ROLE and SET SESSION behaviour would have knock on effects for the security model for executing functions.
The least intrusive route to having reliable user identity information to pass down is exposing the oringially authorised user and authorisation method (as defined in pg_hba) as read-only session variables (maybe called auth_user and auth_method?) in the session.