Abhishek Rawat has uploaded this change for review. ( http://gerrit.cloudera.org:8080/22986
Change subject: IMPALA-14083: Connected user and session user mismatch when cookie based authentication is used with SPNEGO ...................................................................... IMPALA-14083: Connected user and session user mismatch when cookie based authentication is used with SPNEGO IMPALA-11298 allowed comparing short user name for connected user and session user to support proxy clients like Hue which could potentially use different physical hosts for queries/requests from the same session. When cookie based authentication is used, the 'kerberos_user_short' is not set on the ConnectionContext and as a result 'connected_user_short' is not set in SessionState. This can cause a mismatch when comparing short user names from ConnectionContext and SessionState. This happens because the original connection authenticated using SPNEGO will have 'kerberos_user_short' in the ConnectionContext, while the other connections authenticated using cookies won't have 'kerberos_user_short' set in the ConnectionContext. This patch addresses this issue by setting 'connected_user_short' in SessionState, if it's not set and HTTP transport is used for OpenSession. Testing: - Added a SpnegoAuthTest which simulates 'knox' like proxy client and uses SPNEGO to connect to Impala and also uses authentication cookies. The test runs concurrent sql clients similar to real world scenarios. Without the fix the test fails with error: The user authorized on the connection '<username>' does not match the session username '' Change-Id: Id7223e449c32484bfd2295f7a9e728b7c02637e9 --- M be/src/service/impala-hs2-server.cc M fe/src/test/java/org/apache/impala/customcluster/KerberosKdcEnvironment.java A fe/src/test/java/org/apache/impala/customcluster/SpnegoAuthTest.java A fe/src/test/java/org/apache/impala/customcluster/SpnegoTokenGenerator.java A fe/src/test/java/org/apache/impala/customcluster/THttpClientWithHeaders.java 5 files changed, 900 insertions(+), 0 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/86/22986/1 -- To view, visit http://gerrit.cloudera.org:8080/22986 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: Id7223e449c32484bfd2295f7a9e728b7c02637e9 Gerrit-Change-Number: 22986 Gerrit-PatchSet: 1 Gerrit-Owner: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
