Configuring Inbound Impersonation
Administrators can configure inbound impersonation in the
drill-override.conf
file.
Complete the following steps to enable inbound impersonation:
- If user impersonation is not enabled, you must enable it before configuring inbound
impersonation. To enable user impersonation, edit
/opt/mapr/drill/drill-<version>/drill-override.conf
and set the option to true, as shown:{ drill.exec.impersonation.enabled: true, ... }
- Define inbound impersonation policies. For example, the following ALTER SYSTEM statement
authorizes:
puser1
to impersonate any user (use * as a wildcard character)puser2
to impersonateeuser1
and all users inegroup2
-
all users in
pgroup3
to impersonate all users inegroup3
ALTER SYSTEM SET `exec.impersonation.inbound_policies`='[ { proxy_principals : { users: ["puser1"] }, target_principals: { users: ["*"] } }, { proxy_principals : { users: ["puser2"] }, target_principals: { users: ["euser1"], groups : ["egroup2"] } }, { proxy_principals : { groups: ["pgroup3"] }, target_principals: { groups: ["egroup3"] } } ]';
Policy format:{ proxy_principals : { users : ["...", "..."], groups : ["...", "..."] }, target_principals: { users : ["...", "..."], groups : ["...", "..."] } }
- Ensure that the proxy user (application) passes the username of the impersonation target
user to Drill when creating a connection through the
impersonation_target
connection property. For example, through sqlline:bin/sqlline -u "jdbc:drill:schema=dfs;zk=myclusterzk;impersonation_target=euser1" -n puser1 -p ppass1
NOTE
In this example, puser1
is the user submitting the queries. This
user is authenticated. Since this user is authorized to impersonate any user, queries
through the established connection are run as euser1
.