[IMPALA-5552] Proxy user list should support groups - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: Impala 2.13.0, Impala 3.1.0
Component/s: Frontend
Labels:
None

Epic Color:
ghx-label-8

Description

The authorized_proxy_user_config takes a map of user->doAsUser* - i.e. user is allowed to impersonate any users in the list of doAsUsers.

For enterprise deployments, this would be better specified as a list of groups, rather than a a list of users:

user1->group*

When accepting a query, Impala will check that the doAs user is a member of any of the list of groups specified for the connecting user.

HiveServer2 does this via Hadoop-level proxy user privileges (e.g.
{{<property>
<name>hadoop.proxyuser.user1.hosts</name>
<value>doAsUser1,doAsUser2</value>
</property>
<property>
<name>hadoop.proxyuser.user1.groups</name>
<value>doAsGroup1,doAsGroup2</value>
</property>}}

Attachments

Issue Links

is duplicated by

IMPALA-6730 Support group impersonation for authorization requests

Open

Sub-Tasks

Impala 3.1 Doc: Proxy user list should support groups

Closed

Alexandra Rodoni

Activity

People

Assignee:: Fredy Wijaya

Reporter:: Tristan Stevens

Votes:: 1 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 21/Jun/17 15:55

Updated:: 22/Dec/20 21:12

Resolved:: 14/Jun/18 22:30