Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-8342

Explore operations, when executed from containers, must impersonate the container's user id

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 4.1.0
    • Fix Version/s: 4.1.0
    • Component/s: Explore, Namespaces, Security
    • Labels:
      None
    • Release Notes:
      Fixed an issue where CDAP Explore operations from a program container running as a user were impersonating the namespace owner. Now they impersonate the respective program container users.
    • Rank:
      1|hzzu1j:

      Description

      For example, if a program creates a partition in a partitioned file set, it calls the explore service through the explore client injected into the PFS runtime instance. If the program runs a s a user that is not authorized to add partitions to the PFS, then this must fail. However, today we impersonate all explore operations as the dataset owner regardless of where the request comes from.

        Attachments

          Activity

            People

            • Assignee:
              rsinha Rohit Sinha
              Reporter:
              andreas Andreas Neumann
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: