[AMORO-2692] Support proxy user in terminal #2693
Conversation
github-actions
bot
added
module:core
link3280
changed the title
link3280
force-pushed
the
feat/terminal_impersonation
branch
from
3e2cb05
to
bc7fb08
Compare
|
I‘m looking forwared to this PR! But I have some questions |
|
@xieyi888 Thanks for your input!
Do you mean the kerberos authentication? Ideally, the terminal would use the UGI in TableMetaStore.RuntimeContext, but in fact the UGI cannot cover the usages like Iceberg async tasks. This PR mainly makes the spark user right. For example, the table created would have the proxy user as its owner. WRT authorization, I think that's the catalog's job and not relevant to the amoro terminal.
I think it's doable via Kyuubi. But I haven't got the chance to verify it yet. |
|
@link3280 From your PR, it seems that you are calling terminal by REST API? so that you can pass the proxyUser from http parameters. But this is not working for user executing SQL via WebBrowser. |
That's right. This PR doesn't involve web UI changes. |
| rs = | ||
| tableMetaStore.doAsImpersonating( | ||
| proxyUser, () -> session.executeStatement(catalog, statement)); |
There was a problem hiding this comment.
I tend to check whether to call doAs or doAsImpersonating here, and try not to modify the code of the TableMetastore.
Hi @link3280, Can you explain more details how to execute SQL statements with configured user? |
Why are the changes needed?
Close #2692.
Brief change log
How was this patch tested?
Add some test cases that check the changes thoroughly including negative and positive cases if possible
Add screenshots for manual tests if appropriate
Run test locally before making a pull request
Documentation