Abhishek Rawat has uploaded a new patch set (#8). ( http://gerrit.cloudera.org:8080/22986 )
Change subject: IMPALA-14083: Connected user and session user mismatch when cookie based authentication is used with SPNEGO ...................................................................... IMPALA-14083: Connected user and session user mismatch when cookie based authentication is used with SPNEGO IMPALA-11298 allowed comparing short user name for connected user and session user to support proxy clients like Hue which could potentially use different physical hosts for queries/requests from the same session. When cookie based authentication is used, the 'kerberos_user_short' is not set on the ConnectionContext and as a result 'connected_user_short' is not set in SessionState. This can cause a mismatch when comparing short user names from ConnectionContext and SessionState. This happens because the original connection authenticated using SPNEGO will have 'kerberos_user_short' in the ConnectionContext, while the other connections authenticated using cookies won't have 'kerberos_user_short' set in the ConnectionContext. This patch addresses this issue by setting 'kerberos_user_short' in ConnectionContext, when using auth cookies generated post SPNEGO. This information is retrieved from 'impala.auth' cookie itself, which now also stores the 'a=<AUTH_MECHANISM>' in the cookie's value. Testing: - Added a SpnegoAuthTest which simulates 'knox' like proxy client and uses SPNEGO to connect to Impala and also uses authentication cookies. The test runs concurrent sql clients similar to real world scenarios. Without the fix the test fails with error: The user authorized on the connection '<username>' does not match the session username '' Change-Id: Id7223e449c32484bfd2295f7a9e728b7c02637e9 --- M be/src/rpc/authentication-util.cc M be/src/rpc/authentication-util.h M be/src/rpc/authentication.cc M be/src/util/webserver-test.cc M be/src/util/webserver.cc M be/src/util/webserver.h M fe/src/test/java/org/apache/impala/customcluster/KerberosKdcEnvironment.java A fe/src/test/java/org/apache/impala/customcluster/SpnegoAuthTest.java A fe/src/test/java/org/apache/impala/customcluster/SpnegoTokenGenerator.java A fe/src/test/java/org/apache/impala/customcluster/THttpClientWithHeaders.java 10 files changed, 1,022 insertions(+), 32 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/86/22986/8 -- To view, visit http://gerrit.cloudera.org:8080/22986 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: Id7223e449c32484bfd2295f7a9e728b7c02637e9 Gerrit-Change-Number: 22986 Gerrit-PatchSet: 8 Gerrit-Owner: Abhishek Rawat <ara...@cloudera.com> Gerrit-Reviewer: Abhishek Rawat <ara...@cloudera.com> Gerrit-Reviewer: Csaba Ringhofer <csringho...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Reviewer: Jason Fehr <jf...@cloudera.com> Gerrit-Reviewer: Yida Wu <wydbaggio...@gmail.com>
