support for user impersonation by service account #21
Description
It is often the case that a web application needs to access a user's data managed by another service. One solution, is to have the web service connect to the data service as the user, using the user's account name and password for authentication. This isn't always viable. For example, if an authenticated user schedules an HPC job that processes some of the user's data, the job may not have access to the user's password for the data service. iRODS supports this case by allowing the web application to impersonate the user. The web application would authenticate with iRODS using a rodsadmin type account and provide the user's iRODS account name as the client user.
I'm requesting that davrods be extended to support iRODS style user impersonation. The web application could connect to a davrods based data service with basic authentication, providing its iRODS account name and password. The client name could be provided in a custom HTTP header, e.g., X-Davrods-Impersonate-User: CLIENT-USERNAME. The client's account name could be passed to iRODS through the iRODS C API similar to how the iCommands pass it in.