Add impersonation to related metastore calls#12002
Merged
electrum merged 1 commit intotrinodb:masterfrom Apr 20, 2022
zhangbutao:add_impersonation_to_related_metastore_calls
Merged
Add impersonation to related metastore calls#12002electrum merged 1 commit intotrinodb:masterfrom zhangbutao:add_impersonation_to_related_metastore_calls
electrum merged 1 commit intotrinodb:masterfrom
zhangbutao:add_impersonation_to_related_metastore_calls
Conversation
findepi
requested review from
kokosing and
lukasz-walkiewicz
and removed request for
findepi
electrum
approved these changes
Apr 20, 2022
Member
|
Thanks! |
Contributor
|
#11577 is fixed by this PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
In production env, we often turn on metastore server side authorization and audit. Metastore server authorization and audit need real user of client, therefore i think trino should add impersonation to related metastore calls, eg: getAllDatabases, getAllTables,listRoles.
Related issues, pull requests, and links
We often use metastore server authorizaton based on the hdfs storage or ranger authorization and both the two authorizations need real user of metastore client . You can refer to hive jira:
https://issues.apache.org/jira/browse/HIVE-3705 metastore Storage Based Authorization
https://issues.apache.org/jira/browse/HIVE-21753 metastore Ranger Based Authorization
Documentation
( ) No documentation is needed.
( ) Sufficient documentation is included in this PR.
( ) Documentation PR is available with #prnumber.
( ) Documentation issue #issuenumber is filed, and can be handled later.
Release notes
( ) No release notes entries required.
( ) Release notes entries required with the following suggested text: