1. User’s Guide
  2. Oracle Big Data SQL Security
  3. Multi-User Authorization

5.2 Multi-User Authorization

By default, queries executed using Oracle Big Data SQL run as the oracle user on the Hadoop cluster. All Hadoop audits in this default configuration show that the oracle user accessed the files.

Big Data SQL provides a feature called Multi-User Authorization that enables the database to impersonate a cluster user when accessing data on the Hadoop cluster. With Multi-User Authorization, the oracle identity is no longer used to authorize data access. Instead, the identity derived from the actual connected user receives authorization. Additionally, Hadoop audits will attribute file access to the connected user, rather than to oracle.

Users and applications can connect to Oracle Database in these distinct ways (and more):
  • As a database user
  • As a Kerberos user
  • As an LDAP user
  • As an application user

Multi-User Authorization allows the administrator to specify how this connected user should be derived. For example, all users that connect to Oracle Database using their LDAP identity will use their authenticated identity when running queries on the Hadoop cluster. Alternatively, applications that manage their own users may use the Oracle Database client identifier to derive the currently connected user (and use that user’s identity to authorize access to data on the Hadoop cluster). Oracle Big Data SQL provides a mapping that contains the rules for identifying the actual user.

See Also:

5.2.1 The Multi-User Authorization Model

Multi-User Authorization gives you the ability to use Hadoop Secure Impersonation to direct the oracle account to execute tasks on behalf of other designated users.

Administrators set up the rules for identifying the query user (the currently connected user) and for mapping this user to the user that is impersonated. Because there are numerous ways in which users can connect to Oracle Database, this user may be a database user, a user sourced from LDAP, from Kerberos, or other sources. Authorization rules on the files apply to the query user and audits will identify the user as the query user.

This enables HDFS authorization based on the user that is currently executing the query, rather than the singular oracle user.

Note:

Even with multi-user authorization the oracle user is used by default when SYS is connected as SYSDBA.

See Also:

DBMS_BDSQL PL/SQL Package which describes the Multi-User Authorization security table and the procedures for adding user maps to the table and removing them from the table.