[ https://issues.apache.org/jira/browse/CALCITE-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15966007#comment-15966007 ]
ASF GitHub Bot commented on CALCITE-1539: ----------------------------------------- Github user joshelser commented on a diff in the pull request: https://github.com/apache/calcite-avatica/pull/6#discussion_r111174909 --- Diff: server/src/test/java/org/apache/calcite/avatica/server/RemoteUserExtractHttpServerTest.java --- @@ -0,0 +1,175 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.calcite.avatica.server; + +import org.apache.calcite.avatica.ConnectionSpec; +import org.apache.calcite.avatica.jdbc.JdbcMeta; +import org.apache.calcite.avatica.remote.AuthenticationType; +import org.apache.calcite.avatica.remote.Driver; +import org.apache.calcite.avatica.remote.LocalService; + +import org.junit.AfterClass; +import org.junit.BeforeClass; +import org.junit.Test; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.Properties; +import java.util.concurrent.Callable; + +import javax.servlet.http.HttpServletRequest; + +import static org.hamcrest.core.StringContains.containsString; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertThat; +import static org.junit.Assert.fail; + +/** + * Test class for HTTP Basic authentication. + */ +public class RemoteUserExtractHttpServerTest extends HttpAuthBase { + private static final Logger LOG = LoggerFactory.getLogger(RemoteUserExtractHttpServerTest.class); + + private static final ConnectionSpec CONNECTION_SPEC = ConnectionSpec.HSQLDB; + private static HttpServer server; + private static String url1; + private static String url2; + + @BeforeClass public static void startServer() throws Exception { + + final String userPropertiesFile = BasicAuthHttpServerTest.class + .getResource("/auth-users.properties").getFile(); + assertNotNull("Could not find properties file for basic auth users", userPropertiesFile); + + // Create a LocalService around HSQLDB + final JdbcMeta jdbcMeta = new JdbcMeta(CONNECTION_SPEC.url, + CONNECTION_SPEC.username, CONNECTION_SPEC.password); + LocalService service = new LocalService(jdbcMeta); + + HandlerFactory factory = new HandlerFactory(); + AvaticaHandler avaticaHandler = factory.getHandler(service, Driver.Serialization.PROTOBUF, null, + new AvaticaServerConfiguration() { + @Override public AuthenticationType getAuthenticationType() { + return AuthenticationType.BASIC; + } + + @Override public String getKerberosRealm() { + return null; + } + + @Override public String getKerberosPrincipal() { + return null; + } + + @Override public boolean supportsImpersonation() { + return true; + } + + @Override public <T> T doAsRemoteUser(String remoteUserName, String remoteAddress, + Callable<T> action) throws Exception { + + if (remoteUserName.equals("USER4")) { + throw new RuntimeException("USER4 is a disallowed user"); + } else if (remoteUserName.equals("USER2")) { + return action.call(); + } else { + throw new RuntimeException("Unknown user."); + } + } + + @Override public RemoteUserExtractor getRemoteUserExtractor() { + return new RemoteUserExtractor() { + HttpQueryStringParameterRemoteUserExtractor paramRemoteUserExtractor = + new HttpQueryStringParameterRemoteUserExtractor(); + HttpRequestRemoteUserExtractor requestRemoteUserExtractor = + new HttpRequestRemoteUserExtractor(); + + @Override public String extract(HttpServletRequest request) + throws RemoteUserExtractionException { + if (request.getParameter("doAs") != null) { + String doAsUser = request.getParameter("doAs"); + LOG.info("doAsUser is " + doAsUser); + return paramRemoteUserExtractor.extract(request); + } else { + return "USER2"; + } + + } + }; + } + + @Override public String[] getAllowedRoles() { + return new String[] { "users" }; + } + + @Override public String getHashLoginServiceRealm() { + return "Avatica"; + } + + @Override public String getHashLoginServiceProperties() { + return userPropertiesFile; + } + }); + + server = new HttpServer.Builder() + .withHandler(avaticaHandler) + .withPort(0) + .build(); + server.start(); + + url1 = "jdbc:avatica:remote:url=http://localhost:" + server.getPort() + + ";authentication=BASIC;serialization=PROTOBUF"; + + url2 = "jdbc:avatica:remote:url=http://localhost:" + server.getPort() + + "?doAs=USER4" + ";authentication=BASIC;serialization=PROTOBUF"; + + // Create and grant permissions to our users + createHsqldbUsers(); + } + + @AfterClass public static void stopServer() throws Exception { + if (null != server) { + server.stop(); + } + } + + @Test public void testUserWithAllowedDoAsRole() throws Exception { + // Disallowed by avatica --- End diff -- This comment should be removed. > Enable proxy access to Avatica server for third party on behalf of end users > ---------------------------------------------------------------------------- > > Key: CALCITE-1539 > URL: https://issues.apache.org/jira/browse/CALCITE-1539 > Project: Calcite > Issue Type: Improvement > Components: avatica > Reporter: Jerry He > Assignee: Shi Wang > Attachments: > 0001-CALCITE-1539-Enable-proxy-access-to-Avatica-server-f.patch, > 0001-CALCITE-1539.patch, 0001-CALCITE-1539_without_testcase.patch > > > We want to enable proxy access to Avatica server from an end user, but the > end user comes in via a third party impersonation. For example, Knox and Hue. > The Knox server user conveys the end user to Avatica. > Similar things have been done for HBase Rest Sever HBASE-9866 and Hive Server > HIVE-5155 -- This message was sent by Atlassian JIRA (v6.3.15#6346)