This is an automated email from the ASF dual-hosted git repository. michaelsmith pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/impala.git
commit 04b7a15cbd2ef4411d829682d5e9e722c477b242 Author: Michael Smith <[email protected]> AuthorDate: Wed Oct 29 11:28:43 2025 -0700 IMPALA-14842: Guard doAs and impala.doas.user Prevent setting both doAs and impala.doas.user. They're often set by different actors and we have no use case for setting both. Prevents misuse where override behavior is unexpected. Testing: adds test setting both to LdapHS2Test#testHS2Impersonation Change-Id: If783e48d5782e1c68e2b3fdd9e2aaabb45ddd6ff Reviewed-on: http://gerrit.cloudera.org:8080/24111 Reviewed-by: Fang-Yu Rao <[email protected]> Tested-by: Impala Public Jenkins <[email protected]> Reviewed-by: Joe McDonnell <[email protected]> --- be/src/service/impala-hs2-server.cc | 6 ++++-- .../apache/impala/customcluster/LdapHS2Test.java | 23 ++++++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/be/src/service/impala-hs2-server.cc b/be/src/service/impala-hs2-server.cc index 472f19c00..20dfe1caa 100644 --- a/be/src/service/impala-hs2-server.cc +++ b/be/src/service/impala-hs2-server.cc @@ -385,8 +385,10 @@ void ImpalaServer::OpenSession(TOpenSessionResp& return_val, // If the current user is a valid proxy user, he/she can optionally perform // authorization requests on behalf of another user. This is done by setting // the 'impala.doas.user' Hive Server 2 configuration property. - // Note: The 'impala.doas.user' configuration overrides the user specified - // in the 'doAs' request parameter, which can be specified for hs2-http transport. + if (!state->do_as_user.empty()) { + HS2_RETURN_ERROR(return_val, "Cannot set 'impala.doas.user' configuration " + "property when 'doAs' query parameter is set.", SQLSTATE_GENERAL_ERROR); + } state->do_as_user = v.second; Status status = AuthorizeProxyUser(state->connected_user, state->do_as_user); HS2_RETURN_IF_ERROR(return_val, status, SQLSTATE_GENERAL_ERROR); diff --git a/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java b/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java index d97e49672..4835de72f 100644 --- a/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java +++ b/fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java @@ -392,6 +392,29 @@ public class LdapHS2Test { config.put("impala.doas.user", TEST_USER_4); openResp = client.OpenSession(openReq); assertEquals(openResp.getStatus().getStatusCode(), TStatusCode.ERROR_STATUS); + + // Reconnect with doAs query parameter. + transport.close(); + transport = new THttpClient("http://localhost:28000/?doAs=Test1Ldap";); + transport.setCustomHeaders(headers); + transport.open(); + client = new TCLIService.Client(new TBinaryProtocol(transport)); + + // Open a session with 'doAs' query parameter, should succeed. + config.clear(); + openResp = client.OpenSession(openReq); + assertEquals(openResp.getStatus().getStatusCode(), TStatusCode.SUCCESS_STATUS); + // Logged in user should be the impersonated user. + operationHandle = execAndFetch( + client, openResp.getSessionHandle(), "select logged_in_user()", "Test1Ldap"); + + // Open a session with a 'doas' config and 'doAs' query parameter, should fail. + config.put("impala.doas.user", TEST_USER_3); + openResp = client.OpenSession(openReq); + assertEquals(openResp.getStatus().getStatusCode(), TStatusCode.ERROR_STATUS); + assertEquals(openResp.getStatus().getErrorMessage(), + "Cannot set 'impala.doas.user' configuration property when 'doAs' query " + + "parameter is set."); } /**
