[
https://issues.apache.org/jira/browse/DRILL-8168?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Turton updated DRILL-8168:
--------------------------------
Description:
When a payload that includes the {{userName}} property is POSTed to /query.json
Drill will check for authorisation and, if that's found, replace the username
on its UserSession with that of the impersonated user. When a subsequent
request arrives Drill will again attempt the same replacement, but now starting
from a UserSession user that has already been changed to the impersonated user.
This is liable to fail when the impersonated user is not authorised to
impersonate themself.
This has never been an issue in the Web UI because it only presents an
opportunity for impersonation when impersonation is enabled _and_ {_}authn is
disabled{_}. When authn is disabled, there is no persistent UserSession so it
is okay to repeat the username replacement for every request to /query.json.
This leaves people who have both impersonation and authn enabled in the lurch.
was:
When a payload that includes the `userName` property is POSTed to /query.json
Drill will check for authorisation and, if that's found, replace the username
on its UserSession with that of the impersonated user. When a subsequent
request arrives Drill will again attempt the same replacement, but now starting
from a UserSession user that has already been changed to the impersonated user.
This is liable to fail when the impersonated user is not authorised to
impersonate themself.
This has never been an issue in the Web UI because it only presents an
opportunity for impersonation when impersonation is enabled _and_ {_}authn is
disabled{_}. When authn is disabled, there is no persistent UserSession so it
is okay to repeat the username replacement for every request to /query.json.
This leaves people who have both impersonation and authn enabled in the lurch.
> Duplicated attempt to apply inbound impersonation in the REST API
> -----------------------------------------------------------------
>
> Key: DRILL-8168
> URL: https://issues.apache.org/jira/browse/DRILL-8168
> Project: Apache Drill
> Issue Type: Bug
> Components: Web Server
> Affects Versions: 1.20.0
> Reporter: James Turton
> Assignee: James Turton
> Priority: Major
> Fix For: Future
>
>
> When a payload that includes the {{userName}} property is POSTed to
> /query.json Drill will check for authorisation and, if that's found, replace
> the username on its UserSession with that of the impersonated user. When a
> subsequent request arrives Drill will again attempt the same replacement, but
> now starting from a UserSession user that has already been changed to the
> impersonated user. This is liable to fail when the impersonated user is not
> authorised to impersonate themself.
> This has never been an issue in the Web UI because it only presents an
> opportunity for impersonation when impersonation is enabled _and_ {_}authn is
> disabled{_}. When authn is disabled, there is no persistent UserSession so
> it is okay to repeat the username replacement for every request to
> /query.json. This leaves people who have both impersonation and authn
> enabled in the lurch.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
