Skip to content

Impersonation: enforce target-role checks & cache#246

Merged
jamals86 merged 1 commit into
mainfrom
029-datafusion-modernization
May 1, 2026
Merged

Impersonation: enforce target-role checks & cache#246
jamals86 merged 1 commit into
mainfrom
029-datafusion-modernization

Conversation

@jamals86
Copy link
Copy Markdown
Member

@jamals86 jamals86 commented May 1, 2026

Unifies and tightens EXECUTE AS USER (impersonation) authorization and hot-path optimizations.

Key changes:

  • Introduces can_impersonate_target_user as the shared gate that allows self-targeting or role-matrix checks.
  • Uses the new helper across API handlers, SQL impersonation service, and session permissions to centralize authorization decisions and produce clearer audit/errors.
  • UsersTableProvider now maintains an in-memory privileged-role cache (Service/Dba/System) with role_for_impersonation_target to avoid per-request lookups for high-cardinality users; cache is refreshed at startup and updated on user changes.
  • SqlImpersonationService resolves target IDs and checks target-role via the privileged-role cache, auditing allowed/denied attempts and returning clearer Unauthorized errors.
  • ExecutionContext and table/provider comments updated to clarify explicit identity boundaries and cross-user authorization requirements.
  • API: file download endpoint now enforces impersonation authorization for user-table downloads and documents default subject scoping.
  • Tests and docs updated to reflect the role matrix (self-target allowed as no-op) and to exercise allowed/denied EXECUTE AS USER edges.
  • Minor formatting and test ergonomics fixes elsewhere.

Rationale: centralize impersonation policy, make cross-user checks fast and auditable, and ensure ordinary user-table reads remain subject-scoped unless an explicit, authorized EXECUTE AS USER is performed.

@jamals86
Impersonation: enforce target-role checks & cache
507191d 
Unifies and tightens EXECUTE AS USER (impersonation) authorization and hot-path optimizations.

Key changes:
- Introduces can_impersonate_target_user as the shared gate that allows self-targeting or role-matrix checks.
- Uses the new helper across API handlers, SQL impersonation service, and session permissions to centralize authorization decisions and produce clearer audit/errors.
- UsersTableProvider now maintains an in-memory privileged-role cache (Service/Dba/System) with role_for_impersonation_target to avoid per-request lookups for high-cardinality users; cache is refreshed at startup and updated on user changes.
- SqlImpersonationService resolves target IDs and checks target-role via the privileged-role cache, auditing allowed/denied attempts and returning clearer Unauthorized errors.
- ExecutionContext and table/provider comments updated to clarify explicit identity boundaries and cross-user authorization requirements.
- API: file download endpoint now enforces impersonation authorization for user-table downloads and documents default subject scoping.
- Tests and docs updated to reflect the role matrix (self-target allowed as no-op) and to exercise allowed/denied EXECUTE AS USER edges.
- Minor formatting and test ergonomics fixes elsewhere.

Rationale: centralize impersonation policy, make cross-user checks fast and auditable, and ensure ordinary user-table reads remain subject-scoped unless an explicit, authorized EXECUTE AS USER is performed.
@jamals86 jamals86 merged commit 9253512 into main May 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jamals86