[kyuubi] branch master updated: [KYUUBI #5050] Add admin checking in `getProxyUser`

Fri, 14 Jul 2023 22:18:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

feiwang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kyuubi.git


The following commit(s) were added to refs/heads/master by this push:
     new f49182318 [KYUUBI #5050] Add admin checking in `getProxyUser`
f49182318 is described below

commit f49182318bdaddf21c644812ba4255a2e5dda2ed
Author: remzi <[email protected]>
AuthorDate: Sat Jul 15 13:17:49 2023 +0800

    [KYUUBI #5050] Add admin checking in `getProxyUser`
    
    ### _Why are the changes needed?_
    
    Closes #5050.
    Check the realUser is an admin or not before verifying proxy access.
    
    ### _How was this patch tested?_
    - [ ] Add some test cases that check the changes thoroughly including 
negative and positive cases if possible
    
    - [ ] Add screenshots for manual tests if appropriate
    
    - [ ] [Run 
test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests)
 locally before make a pull request
    
    Closes #5051 from HaoYang670/5050_check_admin_in_get_proxy_user.
    
    Closes #5050
    
    cdabd58d2 [remzi] add admin check
    
    Authored-by: remzi <[email protected]>
    Signed-off-by: fwang12 <[email protected]>
---
 .../scala/org/apache/kyuubi/server/KyuubiRestFrontendService.scala    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git 
a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KyuubiRestFrontendService.scala
 
b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KyuubiRestFrontendService.scala
index 5b6eb0408..fc9080e66 100644
--- 
a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KyuubiRestFrontendService.scala
+++ 
b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KyuubiRestFrontendService.scala
@@ -235,7 +235,9 @@ class KyuubiRestFrontendService(override val serverable: 
Serverable)
       realUser
     } else {
       sessionConf.get(KyuubiAuthenticationFactory.HS2_PROXY_USER).map { 
proxyUser =>
-        KyuubiAuthenticationFactory.verifyProxyAccess(realUser, proxyUser, 
ipAddress, hadoopConf)
+        if (!getConf.get(KyuubiConf.SERVER_ADMINISTRATORS).contains(realUser)) 
{
+          KyuubiAuthenticationFactory.verifyProxyAccess(realUser, proxyUser, 
ipAddress, hadoopConf)
+        }
         proxyUser
       }.getOrElse(realUser)
     }

Reply via email to