Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-7052

Impersonate the real user in reading/writing HDFS

    XMLWordPrintableJSON

Details

    • New Feature
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • None
    • None
    • Backend, Security
    • None
    • ghx-label-2

    Description

      Currently, FileMetadata is loaded by catalogd using the process's username which is usually "impala". We judge the authorization using Sentry after the metadata is loaded. However, in the backend, when reading/writing HDFS, we still using the process's username but not the query's username (the real user).

      In a Hadoop cluster without Sentry, it may only use ACLs for authorization. Our behavior prevents it to work correctly since the real username is not used in reading/writing HDFS.

      We should provide a server level option for admins to decide whether to enable impersonation in Backend. If so, propagate the real username to RequestRange and impersonate the real user.

      Attachments

        Issue Links

          duplicates

          New Feature - A new feature of the product, which has yet to be developed. IMPALA-2177 Implement End-User Impersonation for Impala

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              stigahuang Quanlong Huang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: