search

dbeaver / cloudbeaver

Cloud Database Manager
https://dbeaver.com/
Apache License 2.0
3.52k stars 382 forks source link

User Impersonation #2897

Open wufh43 opened 2 months ago

wufh43 commented 2 months ago

Is your feature request related to a problem? Please describe. For databases that support user impersonation, it would be great if CloudBeaver could impersonate the currently logged in user so that the database could make correct authorization decisions.

For example: Trino allows user impersonation, either using a session property for the JDBC driver 1 or by executing a SET SESSION AUTHORIZATION statement 2.

Describe the solution you'd like I'd like to be able to enable user impersonation on a per-connection basis. When enabled, CloudBeaver would take the necessary actions to impersonate the currently logged in user for that connection.

For Trino, that would mean either using a session property, or executing a SET SESSION AUTHORIZATION.

LonwoLonwo commented 2 months ago

Hello @wufh43

In DBeaver, we already have some related features.

Which is closer to your case?

  1. The ability to set a Role for a specific database. We already have this in CloudBeaver for PostgreSQL, but we can add it for Trino.
  2. Or an ability to execute bootstrap queries before connection?

image (41)

image (42)

wufh43 commented 2 months ago

What I think is missing (in Cloudbeaver) is the ability to pass the identity of the currently logged-in user to the database.

What I'd ideally like for my use case is to be able to define a connection like below (in data-sources.json), where the named of the currently logged in user can be injected, for example using a variable:

{
  "connections": {
    "trino_jdbc-191ea0b43aa-7b6a1bd84a57b6e": {
      "provider": "generic",
      "driver": "trino_jdbc",
      "name": "localhost 2",
      "save-password": true,
      "configuration": {
        "host": "localhost",
        "port": "8080",
        "url": "jdbc:trino://localhost:8080",
        "configurationType": "MANUAL",
        "type": "dev",
        "closeIdleConnection": true,
        "properties": {
          "sessionUser": "$CLOUDBEAVER_LOGGED_IN_USER"
        },
        "auth-model": "native"
      }
    }
  }
}

Where $CLOUDBEAVER_LOGGED_IN_USER would of course be replaced by the user id.

LonwoLonwo commented 2 months ago

That's because this is sensitive information.

By default, user names and passwords are stored in the credentials-config.json file, encrypted with a DES key. However, this key is not secure as it is publicly available in DBeaver source files, making it possible for unauthorized third parties to decrypt the file using external software.

https://dbeaver.com/docs/dbeaver/Project-security/

As an option (but I didn't check) you can try this defaultUser="root" to your driver information

wufh43 commented 2 months ago

I don't understand what you mean.

Which piece of information is sensitive in the example I gave?

Impersonation works by using a single service account, with a username and password (which IS sensitive information) and then setting the session property sessionUser to the user ID to impersonate. Trino will authenticate using the username/password as normal, but then execute any statements as the sessionUser instead of the service account (the service account needs to be granted impersonation privileges in Trino, but that is outside CloudBeaver).

What is missing currently is a way to access the ID of the user using CloudBeaver, and passing that to Trino on a per-session basis.

wufh43 commented 1 month ago

@LonwoLonwo Is there any more information you need regarding this issue? It is still marked as wait-for-response .

Please let me know if you need more info.

1seanob1337 commented 1 month ago

I am also interested in this feature fwiw. We use superset which has this feature with trino but there are other use cases where dbeaver is obviously better and user impersonation would be quite helpful for our use case

LonwoLonwo commented 3 weeks ago

So, I found a place in our UI where you can configure the session user parameter for the Trino database.

image

But you said you want to see some automatization. Okay, in this case, we can probably add a variable resolver for driver properties in the data-sources config.

wufh43 commented 2 weeks ago

If it was possible to set the sessionUser variable to the value of the currently logged in user, this would work.

So, yes, resolving variables in driver properties, and having a variable for the "currently logged in user" would be great.

We don't configure cloudbeaver using the UI, so for us it would be important that the solution works for configuration files too, hence my example from above:


{
  "connections": {
    "trino_jdbc-191ea0b43aa-7b6a1bd84a57b6e": {
      "provider": "generic",
      "driver": "trino_jdbc",
      "name": "localhost 2",
      "save-password": true,
      "configuration": {
        "host": "localhost",
        "port": "8080",
        "url": "jdbc:trino://localhost:8080",
        "configurationType": "MANUAL",
        "type": "dev",
        "closeIdleConnection": true,
        "properties": {
          "sessionUser": "$CLOUDBEAVER_LOGGED_IN_USER"
        },
        "auth-model": "native"
      }
    }
  }
}