Add support for User Impersonation #309
Conversation
|
Absolutely! I actually am going to review my changes as well to make sure no additional work is needed. The specific use case for this scenario is that WebUIs which leverage pyhive to interact with Presto are more often using SAML for authentication. Because of this, they have a username for the user, but no password because that is not communicated in the SAML Assertion payload. In that situation, when securing Presto they configure a service account to authenticate against Presto with. Unfortunately this means all security is applied based on that service account, and prevents you from creating user specific permissions when accessing data or user specific resource groups for controlling how much cluster resources they can leverage. With this change in place, it allows you to authenticate with the service account that is passed through by the application, and then tell Presto to execute the query as if it is run by the principle username. As long as Presto has been configured to allow the service account to execute queries as the principle username, presto will do so, applying the specific permissions and resource groups that are assign to that user. This allows you to leverage a user based resource allocation for the cluster and a user based permission model on the data being accessed through Presto. |
|
I have a similar use case, really interested in this pr :) |
Ralnoc
changed the title
Ralnoc
force-pushed
the
add_presto_user_impersonation
branch
from
14cef34 to
adc3171
Compare
|
@bkyryliuk - In addition, here is the Presto documentation as it relates to this feature: https://docs.starburstdata.com/latest/security/impersonation.html Please let me know if you would like me to add any more information to the PR. |
|
@bkyryliuk the CI seems having problems with Python 2.7, not sure why, but the pull request seems good. |
|
@elukey @Ralnoc - could you rebase the diff ? Master is green. |
Ralnoc
force-pushed
the
add_presto_user_impersonation
branch
from
adc3171 to
a57a9e7
Compare
Codecov Report
@@ Coverage Diff @@
## master #309 +/- ##
======================================
Coverage 93.2% 93.2%
======================================
Files 14 14
Lines 1500 1500
Branches 164 164
======================================
Hits 1398 1398
Misses 75 75
Partials 27 27
Continue to review full report at Codecov.
|
|
@bkyryliuk - |
Add ability to declare principle username to support User Impersonation within Presto. This allows the authentication with an user configured for supporting username assumption so that all queries run as the said user.
Ralnoc
force-pushed
the
add_presto_user_impersonation
branch
from
333287a to
11086b4
Compare
|
@Ralnoc this is great! Thank you |
|
Glad to help! Going to dig into using this in a few places as soon as the next version releases. |
|
@Ralnoc do u use superset? i'm not sure what apache/superset#3404 does if your PR was only just merged now. i'm trying to solve apache/superset#7170 |
|
I believe Superset uses SQLAlchemy to interact with Presto. I haven't looked deeper to see if it leverages PyHive through SQLAlchemy. That being said, reading over that issue in Superset, it looks like they implemented impersonation slightly differently. I'd have to read the code more in depth to see exactly how. I would suggest you make sure that you have the Impersonation Rules defined in Presto. https://docs.starburstdata.com/latest/security/impersonation.html#user-translation-rules Without those rules in place, I believe you will get a 401 error as the attempt to execute a query as another user is denied. |
Add ability to declare principle username to support User Impersonation within Presto. This allows the authentication with an user configured for supporting username assumption so that all queries run as the said user.