Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-7052

Impersonate the real user in reading/writing HDFS

Agile BoardAttach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • None
    • None
    • Backend, Security
    • None
    • ghx-label-2

    Description

      Currently, FileMetadata is loaded by catalogd using the process's username which is usually "impala". We judge the authorization using Sentry after the metadata is loaded. However, in the backend, when reading/writing HDFS, we still using the process's username but not the query's username (the real user).

      In a Hadoop cluster without Sentry, it may only use ACLs for authorization. Our behavior prevents it to work correctly since the real username is not used in reading/writing HDFS.

      We should provide a server level option for admins to decide whether to enable impersonation in Backend. If so, propagate the real username to RequestRange and impersonate the real user.

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            stigahuang Quanlong Huang
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment