[
https://issues.apache.org/jira/browse/DRILL-8168?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Turton resolved DRILL-8168.
---------------------------------
Resolution: Fixed
> Duplicated attempt to apply inbound impersonation in the REST API
> -----------------------------------------------------------------
>
> Key: DRILL-8168
> URL: https://issues.apache.org/jira/browse/DRILL-8168
> Project: Apache Drill
> Issue Type: Bug
> Components: Web Server
> Affects Versions: 1.20.0
> Reporter: James Turton
> Assignee: James Turton
> Priority: Major
> Fix For: Future
>
>
> When a payload that includes the {{userName}} property is POSTed to
> /query.json Drill will check for authorisation and, if that's found, replace
> the username on its UserSession with that of the impersonated user. When a
> subsequent request arrives Drill will again attempt the same replacement, but
> now starting from a UserSession user that has already been changed to the
> impersonated user. This is liable to fail when the impersonated user is not
> authorised to impersonate themself.
> This has never been an issue in the Web UI because it only presents an
> opportunity for impersonation when impersonation is enabled _and_ {_}authn is
> disabled{_}. When authn is disabled, there is no persistent UserSession so
> it is okay to repeat the username replacement for every request to
> /query.json. This leaves people who have both impersonation and authn
> enabled in the lurch.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
