Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
None
-
None
-
ghx-label-7
Description
Please refer to the following Impala documentation:
https://impala.apache.org/docs/build3x/html/topics/impala_delegation.html
The following clarifications needed for better understanding:
When using this option --authorized_proxy_user_config= 'user1=user2' :
- authentication is happening based on the user on the left hand side (user1)
- authorization is happening based on the right hand side user(s) (user2)
- you can list the users to enable the delegation for them using the delimiter stated in authorized_proxy_user_config_delimiter switch (default: ",") eg.: user1=user2,user3,user4 or enable for any user by *. More entries delimited by ";" (user1=user2;user3=user4)
- it is not straightforward (at least it wasn't for me) that the delegation doesn't happen automatically when connecting with user1, the client must be able to provide delegated username when opening the session (via "DelegationUID"). ((user2 in this case))
- it is not necessary for user1 to have the permission to access/edit files
- it is not necessary for user2 to have access to the service via Kerberos
- delegated username must exist in the OS to be able to match the permissions
- in Impala user() will be user1 and effective_user() will be user2
- it is a security matter in the client to prevent unauthorized access for the delegate-able users