[
https://issues.apache.org/jira/browse/DRILL-6283?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arina Ielchiieva updated DRILL-6283:
------------------------------------
Labels: ready-to-commit (was: )
> WebServer stores SPNEGO client principal without taking any conversion rule
> ---------------------------------------------------------------------------
>
> Key: DRILL-6283
> URL: https://issues.apache.org/jira/browse/DRILL-6283
> Project: Apache Drill
> Issue Type: Bug
> Components: Web Server
> Affects Versions: 1.13.0
> Reporter: Sorabh Hamirwasia
> Assignee: Sorabh Hamirwasia
> Priority: Major
> Labels: ready-to-commit
> Fix For: 1.14.0
>
>
> Drill's WebServer uses the exact client principal ([email protected]) as the
> stored username, it doesn't provide any configuration to specify rules which
> can be used to extract desired username from client's principal.
> For example: default rule provided by HadoopKerberosName extracts only the
> primary part (user1) in client principal.
> Also while checking if authenticated client principal has admin privileges or
> not it uses realm (e.g. QA.LAB) information to verify against configured
> admin user/group list. To make it consistent with JDBC/ODBC kerberos path, it
> should use the shortName in client principal to determine admin privileges.
> Basically server side should store the shortName from client principal
> extracted based on configured rule and use that to determine the admin
> privileges too.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
