gianm commented on PR #19236: URL: https://github.com/apache/druid/pull/19236#issuecomment-4225553988
> Are you proposing pushing the vending of credentials using an identity to the broker/overlord prior to task submission? I'd ideally like to propagate the auth context to the task and have it vend the credentials at runtime, not at submit time. Yes, that's what I was proposing. There are a couple of reasons. First, because doing it at submit-time needs fewer changes to core. Second, because one of the proposed changes to core— the propagation of the user's own credentials between Druid services— is not something we've done before, and I feel this requires extra care from a security perspective. I was hoping to avoid the need for it completely. Maybe a hybrid approach would work? We could introduce `scopeForUser` in core and run it at submit time. In your custom extension, rather than applying vended credentials at scope/submit time, you could use `scopeForUser` to embed the user's own credentials in the input source. We could add a `PasswordProvider` field to `IcebergInputSource` to support that. Then you could use them at runtime in the task to acquire vended credentials. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
