Roles of original users are not persisted through SET SESSION AUTHORIZATION calls which leads to failure of each subsequent queries done by impersonated user.
The reason is that each of those queries will be first checked with checkCanImpersonateUser check and each of them will fail because original user won't have any enabled roles that would allow impersonation.
Example:
- user 'alice
callsSET SESSION AUTHORIZATION 'bob'`
- that leads to invocation of
io.trino.security.AccessControl#checkCanImpersonateUser
- this check passes
- then user 'bob' calls 'SHOW CATALOGS' (or any other query)
- that leads to invocation of
io.trino.security.AccessControl#checkCanImpersonateUser
- this check fails as alice has no roles enabled
This incorrect behaviour is demonstrated in this draft PR in TestImpersonation.testImpersonate()
Basically after bob is impersonated no roles are assigned to him and thus following checkCanImpersonateUser checks fail.
Roles of original users are not persisted through SET SESSION AUTHORIZATION calls which leads to failure of each subsequent queries done by impersonated user.
The reason is that each of those queries will be first checked with
checkCanImpersonateUsercheck and each of them will fail because original user won't have any enabled roles that would allow impersonation.Example:
callsSET SESSION AUTHORIZATION 'bob'`io.trino.security.AccessControl#checkCanImpersonateUserio.trino.security.AccessControl#checkCanImpersonateUserThis incorrect behaviour is demonstrated in this draft PR in
TestImpersonation.testImpersonate()Basically after bob is impersonated no roles are assigned to him and thus following
checkCanImpersonateUserchecks fail.