-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User Impersonation #2897
Comments
Hello @wufh43 In DBeaver, we already have some related features. Which is closer to your case?
|
What I think is missing (in Cloudbeaver) is the ability to pass the identity of the currently logged-in user to the database. What I'd ideally like for my use case is to be able to define a connection like below (in {
"connections": {
"trino_jdbc-191ea0b43aa-7b6a1bd84a57b6e": {
"provider": "generic",
"driver": "trino_jdbc",
"name": "localhost 2",
"save-password": true,
"configuration": {
"host": "localhost",
"port": "8080",
"url": "jdbc:trino://localhost:8080",
"configurationType": "MANUAL",
"type": "dev",
"closeIdleConnection": true,
"properties": {
"sessionUser": "$CLOUDBEAVER_LOGGED_IN_USER"
},
"auth-model": "native"
}
}
}
} Where |
That's because this is sensitive information.
https://dbeaver.com/docs/dbeaver/Project-security/ As an option (but I didn't check) you can try this |
I don't understand what you mean. Which piece of information is sensitive in the example I gave? Impersonation works by using a single service account, with a username and password (which IS sensitive information) and then setting the session property What is missing currently is a way to access the ID of the user using CloudBeaver, and passing that to Trino on a per-session basis. |
@LonwoLonwo Is there any more information you need regarding this issue? It is still marked as Please let me know if you need more info. |
I am also interested in this feature fwiw. We use superset which has this feature with trino but there are other use cases where dbeaver is obviously better and user impersonation would be quite helpful for our use case |
If it was possible to set the So, yes, resolving variables in driver properties, and having a variable for the "currently logged in user" would be great. We don't configure cloudbeaver using the UI, so for us it would be important that the solution works for configuration files too, hence my example from above: {
"connections": {
"trino_jdbc-191ea0b43aa-7b6a1bd84a57b6e": {
"provider": "generic",
"driver": "trino_jdbc",
"name": "localhost 2",
"save-password": true,
"configuration": {
"host": "localhost",
"port": "8080",
"url": "jdbc:trino://localhost:8080",
"configurationType": "MANUAL",
"type": "dev",
"closeIdleConnection": true,
"properties": {
"sessionUser": "$CLOUDBEAVER_LOGGED_IN_USER"
},
"auth-model": "native"
}
}
}
} |
Is your feature request related to a problem? Please describe.
For databases that support user impersonation, it would be great if CloudBeaver could impersonate the currently logged in user so that the database could make correct authorization decisions.
For example:
Trino allows user impersonation, either using a session property for the JDBC driver 1 or by executing a
SET SESSION AUTHORIZATION
statement 2.Describe the solution you'd like
I'd like to be able to enable user impersonation on a per-connection basis.
When enabled, CloudBeaver would take the necessary actions to impersonate the currently logged in user for that connection.
For Trino, that would mean either using a session property, or executing a
SET SESSION AUTHORIZATION
.The text was updated successfully, but these errors were encountered: