Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124409157
--- Diff:
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
---
@@ -273,6 +282,54 @@ public int run(String[] args) throws Exception {
}
}
+ // add remoteUserExtractor to builder if enabled
+ @VisibleForTesting
+ public void setRemoteUserExtractorIfNecessary(HttpServer.Builder
builder, Configuration conf) {
+ if
(conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB,
+
QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) {
+ builder.withRemoteUserExtractor(new
PhoenixRemoteUserExtractor(conf));
+ }
+ }
+
+ /**
+ * Use the correctly way to extract end user.
+ */
+
+ static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+ private final HttpQueryStringParameterRemoteUserExtractor
paramRemoteUserExtractor;
+ private final HttpRequestRemoteUserExtractor
requestRemoteUserExtractor;
+ private final String userExtractParam;
+
+ public PhoenixRemoteUserExtractor(Configuration conf) {
+ this.requestRemoteUserExtractor = new
HttpRequestRemoteUserExtractor();
+ this.userExtractParam =
conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM,
+
QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM);
+ this.paramRemoteUserExtractor = new
HttpQueryStringParameterRemoteUserExtractor(userExtractParam);
+ }
+
+ @Override
+ public String extract(HttpServletRequest request) throws
RemoteUserExtractionException {
+ if (request.getParameter(userExtractParam) != null) {
+ String extractedUser = paramRemoteUserExtractor.extract(request);
+ UserGroupInformation ugi =
UserGroupInformation.createRemoteUser(request.getRemoteUser());
+ UserGroupInformation proxyUser =
UserGroupInformation.createProxyUser(extractedUser, ugi);
--- End diff --
In re-reading the above, I'm a little worried about the edge-cases. With
PQS right now, we have the following cases "supported"
1) Kerberos+SPNEGO as the Kerberos user ([email protected] authenticates
to PQS and the PQS credentials are used to query Phoenix as [email protected])
2) Kerberos auth with HBase but no SPNEGO for PQS clients (legacy support
for how things used to work before the SPNEGO auth was built -- PQS user does
everything for users)
3) Without Kerberos, all queries run as the PQS user (out of the box).
Avatica supports more than what point 3 above does, but we haven't
prioritized wiring that up as most people just want point 1. @Wancy, I had
originally thought you were just trying to enable a PQS client with Kerberos
credentials to say that they are someone else (extension of point 1 --
Credentials to PQS are for "elserj" but instead of querying Phoenix as
"elserj", query as "bob").
Did you also want this to work for cases when Kerberos is not in the mix? I
think that would require some additional changes as I don't think this will
work as-is.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
