[IMPALA-8828] Support impersonation via http paths - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: Impala 3.3.0
Fix Version/s: Impala 3.3.0
Component/s: Clients
Labels:
- security

Epic Color:
ghx-label-8

Description

When clients connect over http, we should allow them to perform impersonation via the 'doAs' parameter, eg. by specifying a path of the form '/?doAs=<username>'

This is useful for example for Apache Knox, which proxies connections to Impala and authenticates as itself via Kerberos but runs queries as other users.

We can leverage the existing support for impersonation, eg. knox would have to be included in 'authorized_proxy_user_config' to be able to do the impersonation

Attachments

Sub-Tasks

Impala Doc: Document impersonalization via HTTP and Knox authentication

Closed

Alexandra Rodoni

Activity

People

Assignee:: Thomas Tauber-Marshall

Reporter:: Thomas Tauber-Marshall

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 02/Aug/19 19:17

Updated:: 06/Aug/19 17:07

Resolved:: 06/Aug/19 04:19