Inbound Impersonation

An administrator can define inbound impersonation policies to impersonate the end user.

Drill supports user impersonation where queries run as the user that created a connection. However, this user is not necessarily the end user who submits the queries. For example, in a classic three-tier architecture, the end user interacts with Tableau Desktop, which communicates with a Tableau Server, which in turn communicates with a Drill cluster. In this scenario, a proxy user creates a connection, and the queries are submitted to Drill by the proxy user on behalf of the end user, and not by the end user directly. In this particular case, the query needs run run as the end user.

The proxy user must be authorized to submit queries on behalf of the specified end user. Otherwise, any user can impersonate another user. The query runs as the end user, and data authorization is based on this user’s access permissions. Note that without authentication enabled in both communication channels, a user can impersonate any other user.

Drill trusts proxy users to provide the correct end user identity information. Drill does not authenticate the end user. The proxy user (application) is responsible for end user authentication, which is usually enabled.

The following diagram shows how identity is propagated through various layers (with authentication enabled). The flow on the left is Drill with user impersonation enabled. The flow on the right is Drill with user impersonation and inbound impersonation enabled. t:euser is a property on the connection (u is username, pis password, t is impersonation_target).

The following topic provides instructions for configuring inbound impersonation: