Inbound Impersonation Enterprise
Inbound impersonation allows users to run queries from clients like DBeaver and Tableau on objects in Dremio data sources under their own Dremio usernames. When you configure inbound impersonation, a proxy user that represents the client can authenticate to the data source through the target user's connection. When the proxy user runs queries, Dremio evaluates the target user's privileges against the required privileges. If the target user has the correct privileges for the queries from the proxy user, Dremio runs the queries as the proxy user.
Dremio supports inbound impersonation for Java Database Connectivity (JDBC) connections for Hadoop Distributed File System (HDFS) and Hive sources as well as for Dremio-to-Dremio sources.
For HDFS and Hive sources, before you define an inbound impersonation policy, you must configure impersonation for the HDFS or Hive source. You must also enable impersonation in the General and Advanced Options when you configure the connection to your HDFS or Hive source in Dremio.
For Dremio-to-Dremio sources, you must enable impersonation in the Advanced Options when you configure the connection to your Dremio source.
Prerequisite
Ensure that you have a Dremio-version-4.0-or-later cluster installed and accessible.
Policy Definition Methods
To configure inbound impersonation, a member of the ADMIN role in Dremio must define an inbound impersonation policy that authorizes proxy users to submit queries on behalf of target users.
Defining an inbound impersonation policy requires setting the value of the exec.impersonation.inbound_policies
support key to a specification that lists the proxy and target users and groups for the policy. You can set the policy by SQL query or by manually adding the support key.
In the specification, proxy_principals
are the users and groups that represent the client application. The proxy_principals
can submit Dremio queries on behalf of the target_principals
, which are the users and groups that are impersonated. A single specification can name users, groups, or a combination of users and groups as proxy_principals
and target_principals
.
Proxy and target principals can be internal or external users or external groups. Dremio does not support using internal roles as proxy or target principals.
Set Policy by SQL Query
Use the following syntax and template to set the exec.impersonation.inbound_policies
support key value by SQL query:
ALTER SYSTEM SET "exec.impersonation.inbound_policies"='[
{
proxy_principals:{
users:["<proxy_user_1>",
"<proxy_user_2>"]
},
target_principals:{
users:["<target_user_1>",
"<target_user_1>"]
}
},
{
proxy_principals:{
groups:["<proxy_group_1>",
"<proxy_group_2>"]
},
target_principals:{
groups:["<target_group_1>"]
}
},
{
proxy_principals:{
users:["<proxy_user_2>",
"<proxy_user_3>"]
},
target_principals:{
groups:["<target_group_3>"]
}
}
]'
Manually Set Policy with a Support Key
To set the exec.impersonation.inbound_policies
support key by manually adding it in the Dremio console:
Click in the left navigation bar.
Click Support in the sidebar.
Under Support Keys, in the field on the right side of the page, enter
exec.impersonation.inbound_policies
and click Show.In the field under the
Specification Template for Impersonation Policyexec.impersonation.inbound_policies
support key, replace the empty array value with the policy specification:[
{
proxy_principals:{
users:["<proxy_user_1>",
"<proxy_user_2>"]
},
target_principals:{
users:["<target_user_1>",
"<target_user_2>"]
}
},
{
proxy_principals:{
groups:["<proxy_group_1>",
"<proxy_group_2>"]
},
target_principals:{
groups:["<target_group_1>"]
}
},
{
proxy_principals:{
users:["<proxy_user_2>",
"<proxy_user_3>"]
},
target_principals:{
groups:["<target_group_3>"]
}
}
]Click Save.
Example Configuration
In this scenario:
The LDAP service includes a group named
ldapGroup
with membersa.alice
andb.bob
.The LDAP service includes a user named
tpcds_service
that represents DBeaver. Thetpcds_service
user does not belong to any groups.In Dremio, the
ldapGroup
has SELECT and ALTER privileges on the Hive source.Inbound impersonation is enabled for the Hive source in Dremio.
In this scenario,
ldapGroup
is the target principal andtpcds_service
is the proxy principal.
To tell Dremio to allow the tpcds_service
user to impersonate members of the ldapGroup
, set the exec.impersonation.inbound_policies
support key in Dremio to the following value:
[
{
proxy_principals:{
users:["tpcds_service"]
},
target_principals:{
groups:["ldapGroup"]
}
}
]
After the Dremio support key is set, Dremio allows tpcds_service
to impersonate any member of the ldapGroup
.
Permissions on a data source are always evaluated and enforced according to the impersonated user's identity and permissions. For example, while tpcds_service
is impersonating ldapGroup
, the permissions for tpcds_service
on the data source are ignored and the permissions for ldapGroup
permissions are applied.
If tpcds_service
should impersonate only a specific member of ldapGroup
, such as a.alice
, pass in the member as a user property in DBeaver to make sure that Dremio knows which member of the ldapGroup
to impersonate:
- In DBeaver, define a new user connection with the
tpcds_service
LDAP username and password. - In the new user connection's User Properties, create a new driver property and assign it the username you wish to impersonate. In this example, the username is
a.alice
.
The user a.alice
can now log in to DBeaver and run Dremio queries against the Hive source as a.alice
.
Confirming an Inbound Impersonation Policy
Use this SQL command to confirm whether an inbound impersonation policy is set:
SQL Query for Confirming an Inbound Impersonation PolicySELECT name, string_val
FROM sys.options
WHERE name = 'exec.impersonation.inbound_policies'
Deleting an Inbound Impersonation Policy
To delete the inbound impersonation policy by SQL query, run the following query in the SQL Runner:
SQL Query for Deleting an Inbound Impersonation PolicyALTER SYSTEM RESET "exec.impersonation.inbound_policies"
To delete the inbound impersonation policy by manually resetting the exec.impersonation.inbound_policies
support key in the Dremio console:
Click in the left navigation bar.
Click Support in the sidebar.
Under Support Keys, at the list on the left side of the page, find the
exec.impersonation.inbound_policies
support key.Click Reset.