How to impersonate a query_user() when querying a VDS?

vishnuu · October 12, 2021, 7:24am

Hello,

We are developing an internal API that allows users to download a VDS stored in Dremio Enterprise (without the user being aware of and connecting to Dremio).

We need to provide row/column level security for a given user who has requested access to a VDS. Currently, there is a service account which has full permissions on the VDS, however, we need to pass in the “query_user()” property to Dremio via ODBC to ensure the data returned respects the row/column level security of the end user.

The query job will still need to be run by the ‘service account’ however the query needs to be able to impersonate a user such as “JohnSmith001” to ensure the data is returned based on JohnSmith001 permissions.

Is this possible? For example:
EXECUTE AS [JohnSmith001]
Select * From [schema].[myVDS]

balaji.ramaswamy · October 13, 2021, 4:29am

@vishnuu Currently that is not possible but if the source is Hive or HDFS which supports impersonation and impersonation is turned on, you can uncheck “Allow VDS-based Access Delegation” and this will run the query as the logged in user

Topic		Replies	Views
Querying Specific User's Authorized Data using Dremio REST API Dremio University	1	359	August 22, 2023
How to create a view in dremio for set of parquet files	23	5174	October 16, 2019
Cannot use partitions filters using VDS	4	874	September 29, 2021
New job_results system table	1	1120	October 14, 2019
Update virtual dataset query using rest api	0	647	May 17, 2022

How to impersonate a query_user() when querying a VDS?

Related Topics