[Improvement] Using [session user] as [proxy user] to execute statements at the server share level #5687
Comments
|
Hello @theoryxu, |
|
@theoryxu we can do that, for GROUP and SERVER share level, configurablly. actually, this only covers the execution at the driver side, such as DDL commands, when the query triggers a Job, the task executed on the executor side still uses the application user. |
|
I know that STS supports that, I suppose it has same issue I mentioned above, also cc @wangyum |
|
@pan3793 |
|
OK, that sounds reasonable. |
…ements at the server and group share level
|
@pan3793 Hi bro, I have submitted a PR. Could you review it? Thanks. |
|
@theoryxu ack. thanks for your contribution, I will take a look soon |
…ements at the server and group share level; Kerberos Compatible
Code of Conduct
Search before asking
What would you like to be improved?
At the server share level, If I don't use the Ranger AuthZ Plugin, multiple users use the system user's credential, who submits the spark job, to access HDFS, rather than their owner credential.
So on the HDFS side, all actions are executed as the system user, so the HDFS Ranger Plugin loses control.
I want to find a way for all session users can use their own Identity to access HDFS. Thus at the server share level, session users could be under minimum access control.
How should we improve?
I read Kyuubi's code And found the function setting appropriate configs for each session user. 👇
https://github.com/apache/kyuubi/blob/master/externals/kyuubi-spark-sql-engine/src/main/scala/org/apache/kyuubi/engine/spark/operation/SparkOperation.scala#L130
Maybe we can set [session user] as [proxy user] to execute statements, like this: 👇
Are there some lurking issues or concerns at the system level?
Looking forward to your opinions very much!
Are you willing to submit PR?
The text was updated successfully, but these errors were encountered: