[jira] [Commented] (CALCITE-1539) Enable proxy access to Avatica server for third party on behalf of end users

Mon, 16 Jan 2017 19:15:07 -0800 

    [ 
https://issues.apache.org/jira/browse/CALCITE-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15824884#comment-15824884
 ] 

Shi Wang commented on CALCITE-1539:
-----------------------------------

Hi [~elserj]

Sorry I made a mistake in using request.getQueryString() which makes it 
confusing. I meant to get the doAs parameter in the query, it should be 
something like request.getParameter("doAs"). 

One use case of doAsUser is Knox when kerberos is enabled, say we use user 
guest to authenticate on Knox(Knox demo ldap), and according to 
getQueryString() method in IdentityAsserterHttpServletRequestWrapper.java in 
Knox, it will put doAs=guest in the request params. I think this method will 
apply both for REST call and JDBC but we can verify with Knox experts on this. 
And when we send request to PQS through Knox, Knox will redirect request to 
PQS. In this case, the remote user is Knox and doAsUser is guest. (correct me 
if I am wrong)

And we will need both user guest and Knox, because
For authentication, guest is already authenticated with Knox (either ldap, 
kerberos or other kind of method), and may not need to authenticate it in again 
with PQS, also the auth-cookie could be dropped during this authentication, but 
Knox need to be authenticated by PQS to build trust between them. So it seems 
make more sense to authenticate remote user in this case.

And to keep public <T> T doAsRemoteUser(String remoteUserName, String 
remoteAddress, final Callable<T> action) throws Exception { this method, should 
we write another method in Calcite interface to cover the case of doAsUser?




> Enable proxy access to Avatica server for third party on behalf of end users
> ----------------------------------------------------------------------------
>
>                 Key: CALCITE-1539
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1539
>             Project: Calcite
>          Issue Type: Improvement
>          Components: avatica
>            Reporter: Jerry He
>            Assignee: Josh Elser
>         Attachments: 
> 0001-CALCITE-1539-Enable-proxy-access-to-Avatica-server-f.patch
>
>
> We want to enable proxy access to Avatica server from an end user, but the 
> end user comes in via a third party impersonation.  For example, Knox and Hue.
> The Knox server user conveys the end user to Avatica.
> Similar things have been done for HBase Rest Sever HBASE-9866 and Hive Server 
> HIVE-5155



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to