[ https://issues.apache.org/jira/browse/DRILL-8168?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Turton resolved DRILL-8168. --------------------------------- Resolution: Fixed > Duplicated attempt to apply inbound impersonation in the REST API > ----------------------------------------------------------------- > > Key: DRILL-8168 > URL: https://issues.apache.org/jira/browse/DRILL-8168 > Project: Apache Drill > Issue Type: Bug > Components: Web Server > Affects Versions: 1.20.0 > Reporter: James Turton > Assignee: James Turton > Priority: Major > Fix For: Future > > > When a payload that includes the {{userName}} property is POSTed to > /query.json Drill will check for authorisation and, if that's found, replace > the username on its UserSession with that of the impersonated user. When a > subsequent request arrives Drill will again attempt the same replacement, but > now starting from a UserSession user that has already been changed to the > impersonated user. This is liable to fail when the impersonated user is not > authorised to impersonate themself. > This has never been an issue in the Web UI because it only presents an > opportunity for impersonation when impersonation is enabled _and_ {_}authn is > disabled{_}. When authn is disabled, there is no persistent UserSession so > it is okay to repeat the username replacement for every request to > /query.json. This leaves people who have both impersonation and authn > enabled in the lurch. -- This message was sent by Atlassian Jira (v8.20.1#820001)