Masquerading

Masquerading is a way for a client to operate as another user, with all the privileges of that user. Masquerading is a powerful feature. Use masquerading with caution, as you would when using the root command in UNIX or the su command in Linux®.

The masquerading feature allows application servers to do authentication separately from the IBM® Netezza® appliance. It also allows a server to use one connection to the Netezza system for a number of users while still recording those users with the Netezza system.

In this use case, system security is set up so that users do not access an Netezza database directly, but do it through an application. The application allows certain users access to the database. Each database user has an associated security profile, determining what information can be accessed.

The Netezza system does not do the user authentication, but leaves that to the application. In masquerading, a client uses the application to access the database as another user (called a target user), thus accessing the database with the security profile of the target user.

Masquerading is done with the EXECUTE AS command. To use this command, you need EXECUTE AS privileges on the target user. If you issue the command without the required privilege, an error message is displayed.

To run EXECUTE AS, use the following syntax, where target-user-name is the name of an existing user for whom you have EXECUTE AS privilege:

EXECUTE AS target-user-name

As explained in User login control, opening a connection to the database establishes a session, and the session user is recorded. Masquerading changes the current user in the session context. Subsequent permission checks use that value, while the session user function still shows the original user.

The following command example begins a session for user John, with the password ABCD, and accessing the database BIZ:

nzsql -u JOHN -pw ABCD -db BIZ
BIZ.SCM(JOHN)=>

John uses the EXECUTE AS command to masquerade as the user Hank:

BIZ.SCM(JOHN)=> EXECUTE AS HANK;
EXECUTE AS

To see which is the session user and which is the current user, run the following commands:

BIZ(JOHN)=> SELECT session_user, current_user;
 SESSION_USER | CURRENT_USER
--------------+--------------
 JOHN         | HANK
(1 row)

To reverse the EXECUTE AS command, use the REVERT command, which changes the current user back:

BIZ(JOHN)=> REVERT;
REVERT
BIZ(JOHN)=> SELECT session_user, current_user;
 SESSION_USER | CURRENT_USER
--------------+--------------
 JOHN         | JOHN
(1 row)