Inbound Impersonation

Dremio supports Inbound Impersonation for ODBC and JDBC connections, where one user, the proxy user, impersonates an end user and submits queries on the end user’s behalf. The authorizations for these queries are evaluated based on the impersonated user’s identity. An administrator must authorize the proxy user to submit queries on behalf of the end user by defining inbound impersonation policies.

Configuring Inbound Impersonation

Requirements

Ensure that you meet the following requriements:

  • You have a Dremio-version-4.0-or-later cluster installed and accessible.

Configure Inbound Impersonation

The following steps provide an example of how to configure Inbound Impersonation:

  1. Create depta_user and deptb_user as User roles within Dremio. These users (illustrated below) can only query datasets to which they have permissions.

  2. Create a service account (in this case tpcds_service) as the generic access for the specific datasource or dataset as shown in the example below.

  3. Specify that the tpcds_service user has access to a specific data source (or dataset). In this case, allow only queries on the tpcds-Hive3.default datasource directory.

  4. Setup the inbound impersonation policies and confirm that the exec.impersonation.inbound.policies are updated.

    You can update the policies as mentioned in the following syntax.

    ALTER SYSTEM SET "exec.impersonation.inbound.policies"='[ {proxy_principals:{users: [<user1>]}, target_principals: {users: [<impersonation_target_value>]}},{proxy_principals:{users: [<user2>]}, target_principals: {users: [<usern]}}]' 
    

    The policies are illustrated below.

Inbound Impersonation is configured on the cluster for queries using the depta_user and deptb_user.