Abhishek Rawat has uploaded a new patch set (#5). ( http://gerrit.cloudera.org:8080/21925 )
Change subject: IMPALA-11298: Allow proxy users to share hs2 session from different hosts or realms ...................................................................... IMPALA-11298: Allow proxy users to share hs2 session from different hosts or realms Some proxy clients like Hue could reuse hs2 session across multiple hosts. This patch relaxes the check which enforces kerberos username of connected user to match session username. This is because the username could include the hostname and realm such as 'user/instance@REALM' or 'user@REALM'. It's okay to allow the same proxy 'user' to share the hs2 session irrespective of its 'instance' or 'realm'. ImpalaServer::AuthorizeProxyUser() uses kerberos short name for delegation. In this patch we compare the short user name of connected user with session user when session user is a proxy user i.e., session has a 'do_as_user'. The side effects are that 'Connected User:' in query profile and FunctionContext::user() uses the long username from the session state which could be different from connected user. Testing: - Running exhaustive tests. Change-Id: Ib9c539cda8c760c8667a2e8cbb6d5c7902888de9 --- M be/src/rpc/authentication.cc M be/src/rpc/thrift-server.h M be/src/service/impala-hs2-server.cc M be/src/service/impala-server.cc M be/src/service/impala-server.h 5 files changed, 58 insertions(+), 26 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/25/21925/5 -- To view, visit http://gerrit.cloudera.org:8080/21925 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ib9c539cda8c760c8667a2e8cbb6d5c7902888de9 Gerrit-Change-Number: 21925 Gerrit-PatchSet: 5 Gerrit-Owner: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Andrew Sherman <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Joe McDonnell <[email protected]>
