[jira] [Commented] (CALCITE-1539) Enable proxy access to Avatica server for third party on behalf of end users

Mon, 03 Apr 2017 19:50:18 -0700 

    [ 
https://issues.apache.org/jira/browse/CALCITE-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15954496#comment-15954496
 ] 

Josh Elser commented on CALCITE-1539:
-------------------------------------

bq. For the test case, I think it will be something like a combination of 
BasicAuthHttpServerTest and HttpServerSpnegoWithJaasTest right?

Actually, I don't think you need to introduce Kerberos at all. I think copying 
BasicAuthHttpServerTest, adding your {{RemoteUserExtractor}} implementation and 
a {{DoAsRemoteUserCallback}} implementation (which you can use to verify that 
the proper user was extracted). 

bq. Another thing is extract method will need to throw exception, because in 
phoenix case will throw authorization error, and if authorization failed should 
not extract any user and just show the error right?

I don't follow your concern, but I do agree that the interface will need to 
throw an exception. I think it would be better to throw a named exception that 
we create specifically for the case when the implementation fails. Something 
like.. {{RemoteUserExtractionException}}. Having the interface method throw 
{{Exception}} is unnecessarily broad (and would make things harder to handle in 
Avatica).

> Enable proxy access to Avatica server for third party on behalf of end users
> ----------------------------------------------------------------------------
>
>                 Key: CALCITE-1539
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1539
>             Project: Calcite
>          Issue Type: Improvement
>          Components: avatica
>            Reporter: Jerry He
>            Assignee: Shi Wang
>         Attachments: 
> 0001-CALCITE-1539-Enable-proxy-access-to-Avatica-server-f.patch, 
> 0001-CALCITE-1539.patch, 0001-CALCITE-1539_without_testcase.patch
>
>
> We want to enable proxy access to Avatica server from an end user, but the 
> end user comes in via a third party impersonation.  For example, Knox and Hue.
> The Knox server user conveys the end user to Avatica.
> Similar things have been done for HBase Rest Sever HBASE-9866 and Hive Server 
> HIVE-5155



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to