Open lianneli opened 2 years ago
I am afraid that choosing group name by connection param, without appropriate authentication or management, may cause privilige leaking, group level resource control leaking and etc.
Does Hadoop have the primary group concept?
Another user-group binding in my mind is #3308 , fetching UserStore from Ranger which contains user to group(s) relations. But authz is spark engine side plugin.
We can extract the GroupProvider
traits and provide different mechanism
Yes , continue to allow choosing group name via params and checks whether it is in allowed groups with different mechanisms with LDAP、Kerberos、JDBC 、Ranger UserStore and etc .
I thought so once, but get groups from Kerberos or Ranger UserStore makes it more complexible for Kyuubi server. Maybe enhance the org.apache.kyuubi.service.authentication.PasswdAuthenticationProvider
is more effective. For my scene, select one group name from UGI GroupNames through JDBC is enough.
I guess this PR can solve the issue. cc @lianneli @pan3793
Code of Conduct
Search before asking
Describe the feature
When a user has several groups in ugi, user can choose a group needed when using group share level.
Motivation
Group level is more efficient than user level, with less time of resource apply and less parameters to optimize. For user, engines for different groups mean different queues and different resources. Now the group is chosen automatically by header group in ugi, which may not flexible for user, as well as the platform in upper level cannot provide a better suggestion for user.
Describe the solution
em...may be I can solve this problem by using parameters transferred by jdbc connection
Additional context
No response
Are you willing to submit PR?