On this page

    Inbound Impersonation

    Dremio supports Inbound Impersonation for JDBC connections, where one user, the proxy user, impersonates an end user and submits queries on the end user’s behalf. The authorizations for these queries are evaluated based on the impersonated user’s identity. An administrator must authorize the proxy user to submit queries on behalf of the end user by defining inbound impersonation policies.

    Configuring Inbound Impersonation


    Ensure that you meet the following requriements:

    • You have a Dremio-version-4.0-or-later cluster installed and accessible.

    Configure Inbound Impersonation

    The following steps provide an example of how to configure Inbound Impersonation:

    1. Create depta_user and deptb_user as User roles within Dremio. These users (illustrated below) can only query datasets to which they have permissions.

    2. Create a service account (in this case tpcds_service) as the generic access for the specific datasource or dataset as shown in the example below.

    3. Specify that the tpcds_service user has access to a specific data source (or dataset). In this case, allow only queries on the tpcds-Hive3.default datasource directory.

    4. Setup the inbound impersonation policies and confirm that the exec.impersonation.inbound_policies are updated.

      You can update the policies as mentioned in the following syntax.

      Syntax for updating policies
      ALTER SYSTEM SET "exec.impersonation.inbound_policies"='[ {proxy_principals:{users: [<user1>]}, target_principals: {users: [<impersonation_target_value>]}},{proxy_principals:{users: [<user2>]}, target_principals: {users: [<usern]}}]' 

      The policies are illustrated below.

    This image shows an example of a query that would be run for inbound impersonation.

    Inbound Impersonation is configured on the cluster for queries using the depta_user and deptb_user.