Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-5552

Proxy user list should support groups

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • None
    • Impala 2.13.0, Impala 3.1.0
    • Frontend
    • None
    • ghx-label-8

    Description

      The authorized_proxy_user_config takes a map of user->doAsUser* - i.e. user is allowed to impersonate any users in the list of doAsUsers.

      For enterprise deployments, this would be better specified as a list of groups, rather than a a list of users:

      user1->group*

      When accepting a query, Impala will check that the doAs user is a member of any of the list of groups specified for the connecting user.

      HiveServer2 does this via Hadoop-level proxy user privileges (e.g.
      {{<property>
      <name>hadoop.proxyuser.user1.hosts</name>
      <value>doAsUser1,doAsUser2</value>
      </property>
      <property>
      <name>hadoop.proxyuser.user1.groups</name>
      <value>doAsGroup1,doAsGroup2</value>
      </property>}}

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. IMPALA-6730 Support group impersonation for authorization requests

          • Major - Major loss of function.
          • Open
          There are no Sub-Tasks for this issue.

          Activity

            People

              fredyw Fredy Wijaya
              tmgstev Tristan Stevens
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: