Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-7222

[DOCS] authorization_proxy_user_config needs clarification

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • None
    • Impala 3.1.0
    • Docs
    • None
    • ghx-label-7

    Description

      Please refer to the following Impala documentation:

      https://impala.apache.org/docs/build3x/html/topics/impala_delegation.html

       

      The following clarifications needed for better understanding:

      When using this option --authorized_proxy_user_config= 'user1=user2' :

      • authentication is happening based on the user on the left hand side (user1)
      • authorization is happening based on the right hand side user(s) (user2)
      • you can list the users to enable the delegation for them using the delimiter stated in authorized_proxy_user_config_delimiter switch (default: ",") eg.: user1=user2,user3,user4 or enable for any user by *. More entries delimited by ";" (user1=user2;user3=user4)
      • it is not straightforward (at least it wasn't for me) that the delegation doesn't happen automatically when connecting with user1, the client must be able to provide delegated username when opening the session (via "DelegationUID"). ((user2 in this case))
      • it is not necessary for user1 to have the permission to access/edit files
      • it is not necessary for user2 to have access to the service via Kerberos
      • delegated username must exist in the OS to be able to match the permissions
      • in Impala user() will be user1 and effective_user() will be user2
      • it is a security matter in the client to prevent unauthorized access for the delegate-able users
         

       

      Attachments

        Activity

          People

            arodoni Alexandra Rodoni
            fzsombor Zsombor Fedor
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: