Open lianneli opened 2 years ago
bowenliang123
commented
2 years ago I am afraid that choosing group name by connection param, without appropriate authentication or management, may cause privilige leaking, group level resource control leaking and etc.
pan3793
commented
2 years ago Does Hadoop have the primary group concept?
bowenliang123
commented
2 years ago Another user-group binding in my mind is #3308 , fetching UserStore from Ranger which contains user to group(s) relations. But authz is spark engine side plugin.
pan3793
commented
2 years ago We can extract the GroupProvider traits and provide different mechanism
bowenliang123
commented
2 years ago Yes , continue to allow choosing group name via params and checks whether it is in allowed groups with different mechanisms with LDAP、Kerberos、JDBC 、Ranger UserStore and etc .
lianneli
commented
2 years ago I thought so once, but get groups from Kerberos or Ranger UserStore makes it more complexible for Kyuubi server. Maybe enhance the org.apache.kyuubi.service.authentication.PasswdAuthenticationProvider is more effective. For my scene, select one group name from UGI GroupNames through JDBC is enough.
HaoYang670
commented
1 year ago I guess this PR can solve the issue. cc @lianneli @pan3793
Code of Conduct
Search before asking
Describe the feature
When a user has several groups in ugi, user can choose a group needed when using group share level.
Motivation
Group level is more efficient than user level, with less time of resource apply and less parameters to optimize. For user, engines for different groups mean different queues and different resources. Now the group is chosen automatically by header group in ugi, which may not flexible for user, as well as the platform in upper level cannot provide a better suggestion for user.
Describe the solution
em...may be I can solve this problem by using parameters transferred by jdbc connection
Additional context
No response
Are you willing to submit PR?