[ https://issues.apache.org/jira/browse/CALCITE-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15966006#comment-15966006 ]
ASF GitHub Bot commented on CALCITE-1539: ----------------------------------------- Github user joshelser commented on a diff in the pull request: https://github.com/apache/calcite-avatica/pull/6#discussion_r111174467 --- Diff: server/src/test/java/org/apache/calcite/avatica/server/RemoteUserExtractHttpServerTest.java --- @@ -0,0 +1,175 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.avatica.server; + +import org.apache.calcite.avatica.ConnectionSpec; +import org.apache.calcite.avatica.jdbc.JdbcMeta; +import org.apache.calcite.avatica.remote.AuthenticationType; +import org.apache.calcite.avatica.remote.Driver; +import org.apache.calcite.avatica.remote.LocalService; + +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.Properties; +import java.util.concurrent.Callable; + +import javax.servlet.http.HttpServletRequest; + +import static org.hamcrest.core.StringContains.containsString; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.fail; + +/** + * Test class for HTTP Basic authentication. + */ +public class RemoteUserExtractHttpServerTest extends HttpAuthBase { + private static final Logger LOG = LoggerFactory.getLogger(RemoteUserExtractHttpServerTest.class); + + private static final ConnectionSpec CONNECTION_SPEC = ConnectionSpec.HSQLDB; + private static HttpServer server; + private static String url1; + private static String url2; + + @BeforeClass public static void startServer() throws Exception { + + final String userPropertiesFile = BasicAuthHttpServerTest.class + .getResource("/auth-users.properties").getFile(); + assertNotNull("Could not find properties file for basic auth users", userPropertiesFile); + + // Create a LocalService around HSQLDB + final JdbcMeta jdbcMeta = new JdbcMeta(CONNECTION_SPEC.url, + CONNECTION_SPEC.username, CONNECTION_SPEC.password); + LocalService service = new LocalService(jdbcMeta); + + HandlerFactory factory = new HandlerFactory(); + AvaticaHandler avaticaHandler = factory.getHandler(service, Driver.Serialization.PROTOBUF, null, + new AvaticaServerConfiguration() { + @Override public AuthenticationType getAuthenticationType() { + return AuthenticationType.BASIC; + } + + @Override public String getKerberosRealm() { + return null; + } + + @Override public String getKerberosPrincipal() { + return null; + } + + @Override public boolean supportsImpersonation() { + return true; + } + + @Override public <T> T doAsRemoteUser(String remoteUserName, String remoteAddress, + Callable<T> action) throws Exception { + + if (remoteUserName.equals("USER4")) { + throw new RuntimeException("USER4 is a disallowed user"); + } else if (remoteUserName.equals("USER2")) { + return action.call(); + } else { + throw new RuntimeException("Unknown user."); + } + } + + @Override public RemoteUserExtractor getRemoteUserExtractor() { + return new RemoteUserExtractor() { --- End diff -- I think this test could be expanded to cover two more cases: 1. Test that when the server is configured to extract a user in a manner in which it wasn't provided by the client (e.g. server expects doAs=, but the client doesn't include that) 2. Test what happens when the remote user could not be extracted. The client should see an HTTP/401 (as opposed to an HTTP/403 or HTTP/5XX). > Enable proxy access to Avatica server for third party on behalf of end users > ---------------------------------------------------------------------------- > > Key: CALCITE-1539 > URL: https://issues.apache.org/jira/browse/CALCITE-1539 > Project: Calcite > Issue Type: Improvement > Components: avatica > Reporter: Jerry He > Assignee: Shi Wang > Attachments: > 0001-CALCITE-1539-Enable-proxy-access-to-Avatica-server-f.patch, > 0001-CALCITE-1539.patch, 0001-CALCITE-1539_without_testcase.patch > > > We want to enable proxy access to Avatica server from an end user, but the > end user comes in via a third party impersonation. For example, Knox and Hue. > The Knox server user conveys the end user to Avatica. > Similar things have been done for HBase Rest Sever HBASE-9866 and Hive Server > HIVE-5155 -- This message was sent by Atlassian JIRA (v6.3.15#6346)