Scenario: Hadoop not kerberized (does not matter even if it were - read below).
We have a setup where users from external partners are authenticated via federated security (OAuth) to access our system (Custom UI, Hadoop/HBase). The groups of the user are granted permissions to HBase tables (R) and cells (HBase cell-level security using visibility tags).
These users do not have a local unix account and no Krb keytab. They are pre-authenticated as above and our system gets their JWT, which contains their group claims, as a consequence.
We have tried HBase impersonation over HBase REST and Thrift. We can pass in the user's id or group and HBase applies the access and visibility controls. HBase does not care what entity (user or group) the doAs represents.
However, when the visibility of cells can be resolved by more than one group of a user, there is no way that HBase impersonation would work in our case.
Going over the HBase config and impersonation documentation, it is clear that impersonation implies that the user to be impersonated either has a local account with group memberships on the OS or has a keytab. Clearly undesirable in our scenario.
I see this as a BIG gap in HBase authorization model. Is there a way out?