Add Support for Per-Query-User-Information / Impersonation #257
Conversation
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
Co-authored-by: Jan Waś <[email protected]>
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
@cla-bot check |
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
The cla-bot has been summoned, and re-checked this pull request! |
|
Seems like my CLA has been processed :) @cla-bot check |
|
The cla-bot has been summoned, and re-checked this pull request! |
|
I'll test this manually, merge this and do a new release somewhere over the weekend. |
|
Oh, if you need a test setup, here's mine: It's the Example HTTP Connector with File-based access control. If you build a dashboard for the numbers table, admin should be able to see all contents. If you impersonate alice, she should only see even numbers. example-http.propertiesconnector.name=example-http metadata-uri=https://trino-http-example.s3.eu-central-1.amazonaws.com/example-metadata.json access-control.propertiesaccess-control.name=file security.config-file=/etc/trino/rules.json rules.json{
"tables": [
{
"user": "alice",
"catalog": "example-http",
"schema": "example",
"table": "numbers",
"privileges": ["SELECT"],
"filter": "value % 2 = 0"
},
{
"user": "alice",
"privileges": ["SELECT"]
},
{
"user": "admin",
"privileges": ["SELECT"]
}
],
"impersonation": [
{
"original_role": "admin",
"new_user": ".*",
"allow": true
}
]
}
|
|
1.0.7 was just accepted by Grafana and published in their catalog, thanks again! |
One of the awesome features in Trino is that the session user can be different from the authenticated user. This allows the authenticated user to impersonate other users.
This PR adds a settings that allows to impersonate the current Grafana user, so we can use the same connection and dashboards for users with different permissions (similar to what we can do with Apache Superset). If enabled, the current user login will be passed as X-Trino-User.
Hope you find this useful and consider merging. I'm happy to make changes if needed.
Fixes #251