[
https://issues.apache.org/jira/browse/CALCITE-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15976869#comment-15976869
]
ASF GitHub Bot commented on CALCITE-1539:
-----------------------------------------
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/calcite-avatica/pull/6#discussion_r112479061
--- Diff:
server/src/test/java/org/apache/calcite/avatica/server/RemoteUserExtractHttpServerTest.java
---
@@ -0,0 +1,175 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.calcite.avatica.server;
+
+import org.apache.calcite.avatica.ConnectionSpec;
+import org.apache.calcite.avatica.jdbc.JdbcMeta;
+import org.apache.calcite.avatica.remote.AuthenticationType;
+import org.apache.calcite.avatica.remote.Driver;
+import org.apache.calcite.avatica.remote.LocalService;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.Properties;
+import java.util.concurrent.Callable;
+
+import javax.servlet.http.HttpServletRequest;
+
+import static org.hamcrest.core.StringContains.containsString;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+/**
+ * Test class for HTTP Basic authentication.
+ */
+public class RemoteUserExtractHttpServerTest extends HttpAuthBase {
+ private static final Logger LOG =
LoggerFactory.getLogger(RemoteUserExtractHttpServerTest.class);
+
+ private static final ConnectionSpec CONNECTION_SPEC =
ConnectionSpec.HSQLDB;
+ private static HttpServer server;
+ private static String url1;
+ private static String url2;
+
+ @BeforeClass public static void startServer() throws Exception {
+
+ final String userPropertiesFile = BasicAuthHttpServerTest.class
+ .getResource("/auth-users.properties").getFile();
+ assertNotNull("Could not find properties file for basic auth users",
userPropertiesFile);
+
+ // Create a LocalService around HSQLDB
+ final JdbcMeta jdbcMeta = new JdbcMeta(CONNECTION_SPEC.url,
+ CONNECTION_SPEC.username, CONNECTION_SPEC.password);
+ LocalService service = new LocalService(jdbcMeta);
+
+ HandlerFactory factory = new HandlerFactory();
+ AvaticaHandler avaticaHandler = factory.getHandler(service,
Driver.Serialization.PROTOBUF, null,
+ new AvaticaServerConfiguration() {
+ @Override public AuthenticationType getAuthenticationType() {
+ return AuthenticationType.BASIC;
+ }
+
+ @Override public String getKerberosRealm() {
+ return null;
+ }
+
+ @Override public String getKerberosPrincipal() {
+ return null;
+ }
+
+ @Override public boolean supportsImpersonation() {
+ return true;
+ }
+
+ @Override public <T> T doAsRemoteUser(String remoteUserName,
String remoteAddress,
+ Callable<T> action) throws
Exception {
+
+ if (remoteUserName.equals("USER4")) {
+ throw new RuntimeException("USER4 is a disallowed user");
+ } else if (remoteUserName.equals("USER2")) {
+ return action.call();
+ } else {
+ throw new RuntimeException("Unknown user.");
+ }
+ }
+
+ @Override public RemoteUserExtractor getRemoteUserExtractor() {
+ return new RemoteUserExtractor() {
--- End diff --
> I tried to mock the real usage by adding ?useDoAs=true param in the url
indicating if the server expects doAs or not, is that something you are
expecting?
Ah, right. This might require changing some client implementation to test
it properly.
I don't expect the client to provide this (after normally the proxy would
tack this on), but we should still have tests that verify functionality when
the server requires a doAs=user and the client does not provide it (should be
some HTTP/401 or HTTP/403).
> One weird thing is if I use request.getRemoteUser() it will return null
in this case
This sounds like a bug in your code then. Your implementation should throw
an exception if that method returns null. These tests should be as
terse/explicitly as possible.
> Enable proxy access to Avatica server for third party on behalf of end users
> ----------------------------------------------------------------------------
>
> Key: CALCITE-1539
> URL: https://issues.apache.org/jira/browse/CALCITE-1539
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
> Reporter: Jerry He
> Assignee: Shi Wang
> Attachments:
> 0001-CALCITE-1539-Enable-proxy-access-to-Avatica-server-f.patch,
> 0001-CALCITE-1539.patch, 0001-CALCITE-1539_without_testcase.patch
>
>
> We want to enable proxy access to Avatica server from an end user, but the
> end user comes in via a third party impersonation. For example, Knox and Hue.
> The Knox server user conveys the end user to Avatica.
> Similar things have been done for HBase Rest Sever HBASE-9866 and Hive Server
> HIVE-5155
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
