[
https://issues.apache.org/jira/browse/IMPALA-11298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17889928#comment-17889928
]
ASF subversion and git services commented on IMPALA-11298:
----------------------------------------------------------
Commit 139c74bcf34fe29c4e88cd7bd1a98b78eacce89f in impala's branch
refs/heads/master from Abhishek Rawat
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=139c74bcf ]
IMPALA-11298: Allow proxy users to share hs2 session from different hosts or
realms
Some proxy clients like Hue could reuse hs2 session across multiple
hosts. This patch relaxes the check which enforces kerberos username of
connected user to match session username. This is because the username
could include the hostname and realm such as 'user/instance@REALM' or
'user@REALM'. It's okay to allow the same proxy 'user' to share
the hs2 session irrespective of its 'instance' or 'realm'.
ImpalaServer::AuthorizeProxyUser() uses kerberos short name for
delegation. In this patch we compare the short user name of connected
user with session user when session user is a proxy user i.e., session
has a 'do_as_user'.
The side effects are that 'Connected User:' in query profile and
FunctionContext::user() uses the long username from the session state
which could be different from connected user.
Testing:
- Running exhaustive tests.
Change-Id: Ib9c539cda8c760c8667a2e8cbb6d5c7902888de9
Reviewed-on: http://gerrit.cloudera.org:8080/21925
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Compare only the short username when checking session user against connection
> user
> ----------------------------------------------------------------------------------
>
> Key: IMPALA-11298
> URL: https://issues.apache.org/jira/browse/IMPALA-11298
> Project: IMPALA
> Issue Type: Bug
> Reporter: Vincent Tran
> Assignee: Abhishek Rawat
> Priority: Critical
>
> When checking that the session user matches the user authenticated on the
> connection, the usernames compared include the client hostname and the realm
> {code:java}
> if (!connection_username.empty()
> && session_->connected_user != connection_username) {
> return Status::Expected(TErrorCode::UNAUTHORIZED_SESSION_USER,
> connection_username, session_->connected_user);
> }{code}
> This can result in exceptions like so:
> {noformat}
> The user authorized on the connection 'hue/[email protected]' does
> not match the session username 'hue/[email protected]'{noformat}
> We should convert these to short name before comparing.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
