Abhishek Rawat has posted comments on this change. ( http://gerrit.cloudera.org:8080/21925 )
Change subject: IMPALA-11298: Allow proxy users to share hs2 session from different hosts or realms ...................................................................... Patch Set 4: (7 comments) http://gerrit.cloudera.org:8080/#/c/21925/2//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/21925/2//COMMIT_MSG@9 PS2, Line 9: Some proxy clients like Hue could reuse hs2 session across multiple > Maybe some of this could be put in the commit message? The hue example is t Updated the commit message for more context. http://gerrit.cloudera.org:8080/#/c/21925/3//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/21925/3//COMMIT_MSG@9 PS3, Line 9: Some proxy clients like Hue could reuse hs2 session across mul > A case where this may be a bit weird is reporting the connected user like t For query profiles, one option could be to log both 'Connected User:' and 'Session User:'. Similarly for UDFs we should probably expose both connected user and session user. This will probably be a follow on task. When kerberos AuthN is not used, there is no way to enforce that user is from the same host. http://gerrit.cloudera.org:8080/#/c/21925/3//COMMIT_MSG@11 PS3, Line 11: username. This is because the username : could include the hostname and realm such as 'user/instance@REALM' or : 'user@REALM'. It's probably okay to allow the same prox > This means that REALM difference is also ignore, right? Updated the commit message. http://gerrit.cloudera.org:8080/#/c/21925/2/be/src/service/impala-hs2-server.cc File be/src/service/impala-hs2-server.cc: http://gerrit.cloudera.org:8080/#/c/21925/2/be/src/service/impala-hs2-server.cc@371 PS2, Line 371: // Set the 'connected_user_short' member in the SessionState. This is only used if > I think what I'm hoping for is a comment saying something like "Call GetSho Updated logic to get the short user name from connection context. http://gerrit.cloudera.org:8080/#/c/21925/3/be/src/service/impala-server.h File be/src/service/impala-server.h: http://gerrit.cloudera.org:8080/#/c/21925/3/be/src/service/impala-server.h@1384 PS3, Line 1384: WithSession > unrelated to the current change, but this function looks too complex for th Done http://gerrit.cloudera.org:8080/#/c/21925/3/be/src/service/impala-server.h@1401 PS3, Line 1401: > Other comments mention Hue as a motivation for this. Hue acts as a proxy us Makes sense to limit this to proxy clients like Hue which was the motivation for this patch in the first place. If there is a requirement to extend this to other clients we could look into it in future. http://gerrit.cloudera.org:8080/#/c/21925/2/be/src/service/impala-server.h File be/src/service/impala-server.h: http://gerrit.cloudera.org:8080/#/c/21925/2/be/src/service/impala-server.h@1400 PS2, Line 1400: } : : /// Decrements the reference count so the session can be expired correc > I suppose this makes sense. Maybe rename 'connected_user_short' to connecti Done. -- To view, visit http://gerrit.cloudera.org:8080/21925 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Ib9c539cda8c760c8667a2e8cbb6d5c7902888de9 Gerrit-Change-Number: 21925 Gerrit-PatchSet: 4 Gerrit-Owner: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Andrew Sherman <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Joe McDonnell <[email protected]> Gerrit-Comment-Date: Tue, 15 Oct 2024 16:16:36 +0000 Gerrit-HasComments: Yes
