Details
Description
Currently, FileMetadata is loaded by catalogd using the process's username which is usually "impala". We judge the authorization using Sentry after the metadata is loaded. However, in the backend, when reading/writing HDFS, we still using the process's username but not the query's username (the real user).
In a Hadoop cluster without Sentry, it may only use ACLs for authorization. Our behavior prevents it to work correctly since the real username is not used in reading/writing HDFS.
We should provide a server level option for admins to decide whether to enable impersonation in Backend. If so, propagate the real username to RequestRange and impersonate the real user.
Attachments
Issue Links
- duplicates
-
IMPALA-2177 Implement End-User Impersonation for Impala
- Open