[jira] [Commented] (CALCITE-1539) Enable proxy access to Avatica server for third party on behalf of end users

Wed, 12 Apr 2017 08:02:04 -0700 

    [ 
https://issues.apache.org/jira/browse/CALCITE-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15966007#comment-15966007
 ] 

ASF GitHub Bot commented on CALCITE-1539:
-----------------------------------------

Github user joshelser commented on a diff in the pull request:

    https://github.com/apache/calcite-avatica/pull/6#discussion_r111174909
  
    --- Diff: 
server/src/test/java/org/apache/calcite/avatica/server/RemoteUserExtractHttpServerTest.java
 ---
    @@ -0,0 +1,175 @@
    +/*
    + * Licensed to the Apache Software Foundation (ASF) under one or more
    + * contributor license agreements.  See the NOTICE file distributed with
    + * this work for additional information regarding copyright ownership.
    + * The ASF licenses this file to you under the Apache License, Version 2.0
    + * (the "License"); you may not use this file except in compliance with
    + * the License.  You may obtain a copy of the License at
    + *
    + * http://www.apache.org/licenses/LICENSE-2.0
    + *
    + * Unless required by applicable law or agreed to in writing, software
    + * distributed under the License is distributed on an "AS IS" BASIS,
    + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    + * See the License for the specific language governing permissions and
    + * limitations under the License.
    + */
    +package org.apache.calcite.avatica.server;
    +
    +import org.apache.calcite.avatica.ConnectionSpec;
    +import org.apache.calcite.avatica.jdbc.JdbcMeta;
    +import org.apache.calcite.avatica.remote.AuthenticationType;
    +import org.apache.calcite.avatica.remote.Driver;
    +import org.apache.calcite.avatica.remote.LocalService;
    +
    +import org.junit.AfterClass;
    +import org.junit.BeforeClass;
    +import org.junit.Test;
    +import org.slf4j.Logger;
    +import org.slf4j.LoggerFactory;
    +
    +import java.util.Properties;
    +import java.util.concurrent.Callable;
    +
    +import javax.servlet.http.HttpServletRequest;
    +
    +import static org.hamcrest.core.StringContains.containsString;
    +import static org.junit.Assert.assertNotNull;
    +import static org.junit.Assert.assertThat;
    +import static org.junit.Assert.fail;
    +
    +/**
    + * Test class for HTTP Basic authentication.
    + */
    +public class RemoteUserExtractHttpServerTest extends HttpAuthBase {
    +  private static final Logger LOG = 
LoggerFactory.getLogger(RemoteUserExtractHttpServerTest.class);
    +
    +  private static final ConnectionSpec CONNECTION_SPEC = 
ConnectionSpec.HSQLDB;
    +  private static HttpServer server;
    +  private static String url1;
    +  private static String url2;
    +
    +  @BeforeClass public static void startServer() throws Exception {
    +
    +    final String userPropertiesFile = BasicAuthHttpServerTest.class
    +            .getResource("/auth-users.properties").getFile();
    +    assertNotNull("Could not find properties file for basic auth users", 
userPropertiesFile);
    +
    +    // Create a LocalService around HSQLDB
    +    final JdbcMeta jdbcMeta = new JdbcMeta(CONNECTION_SPEC.url,
    +            CONNECTION_SPEC.username, CONNECTION_SPEC.password);
    +    LocalService service = new LocalService(jdbcMeta);
    +
    +    HandlerFactory factory = new HandlerFactory();
    +    AvaticaHandler avaticaHandler = factory.getHandler(service, 
Driver.Serialization.PROTOBUF, null,
    +        new AvaticaServerConfiguration() {
    +          @Override public AuthenticationType getAuthenticationType() {
    +            return AuthenticationType.BASIC;
    +          }
    +
    +          @Override public String getKerberosRealm() {
    +            return null;
    +          }
    +
    +          @Override public String getKerberosPrincipal() {
    +            return null;
    +          }
    +
    +          @Override public boolean supportsImpersonation() {
    +            return true;
    +          }
    +
    +          @Override public <T> T doAsRemoteUser(String remoteUserName, 
String remoteAddress,
    +                                                Callable<T> action) throws 
Exception {
    +
    +            if (remoteUserName.equals("USER4")) {
    +              throw new RuntimeException("USER4 is a disallowed user");
    +            } else if (remoteUserName.equals("USER2")) {
    +              return action.call();
    +            } else {
    +              throw new RuntimeException("Unknown user.");
    +            }
    +          }
    +
    +          @Override public RemoteUserExtractor getRemoteUserExtractor() {
    +            return new RemoteUserExtractor() {
    +              HttpQueryStringParameterRemoteUserExtractor 
paramRemoteUserExtractor =
    +                      new HttpQueryStringParameterRemoteUserExtractor();
    +              HttpRequestRemoteUserExtractor requestRemoteUserExtractor =
    +                      new HttpRequestRemoteUserExtractor();
    +
    +              @Override public String extract(HttpServletRequest request)
    +                  throws RemoteUserExtractionException {
    +                if (request.getParameter("doAs") != null) {
    +                  String doAsUser = request.getParameter("doAs");
    +                  LOG.info("doAsUser is " + doAsUser);
    +                  return paramRemoteUserExtractor.extract(request);
    +                } else {
    +                  return "USER2";
    +                }
    +
    +              }
    +            };
    +          }
    +
    +          @Override public String[] getAllowedRoles() {
    +            return new String[] { "users" };
    +          }
    +
    +          @Override public String getHashLoginServiceRealm() {
    +            return "Avatica";
    +          }
    +
    +          @Override public String getHashLoginServiceProperties() {
    +            return userPropertiesFile;
    +          }
    +        });
    +
    +    server = new HttpServer.Builder()
    +            .withHandler(avaticaHandler)
    +            .withPort(0)
    +            .build();
    +    server.start();
    +
    +    url1 = "jdbc:avatica:remote:url=http://localhost:"; + server.getPort()
    +            + ";authentication=BASIC;serialization=PROTOBUF";
    +
    +    url2 = "jdbc:avatica:remote:url=http://localhost:"; + server.getPort()
    +            + "?doAs=USER4" + 
";authentication=BASIC;serialization=PROTOBUF";
    +
    +    // Create and grant permissions to our users
    +    createHsqldbUsers();
    +  }
    +
    +  @AfterClass public static void stopServer() throws Exception {
    +    if (null != server) {
    +      server.stop();
    +    }
    +  }
    +
    +  @Test public void testUserWithAllowedDoAsRole() throws Exception {
    +    // Disallowed by avatica
    --- End diff --
    
    This comment should be removed.


> Enable proxy access to Avatica server for third party on behalf of end users
> ----------------------------------------------------------------------------
>
>                 Key: CALCITE-1539
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1539
>             Project: Calcite
>          Issue Type: Improvement
>          Components: avatica
>            Reporter: Jerry He
>            Assignee: Shi Wang
>         Attachments: 
> 0001-CALCITE-1539-Enable-proxy-access-to-Avatica-server-f.patch, 
> 0001-CALCITE-1539.patch, 0001-CALCITE-1539_without_testcase.patch
>
>
> We want to enable proxy access to Avatica server from an end user, but the 
> end user comes in via a third party impersonation.  For example, Knox and Hue.
> The Knox server user conveys the end user to Avatica.
> Similar things have been done for HBase Rest Sever HBASE-9866 and Hive Server 
> HIVE-5155



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to