Csaba Ringhofer has posted comments on this change. ( http://gerrit.cloudera.org:8080/23237 )
Change subject: IMPALA-14285: Add SAML2 authentication support for Coordinator Web UI ...................................................................... Patch Set 14: (2 comments) Added some high level answers for some comments by Jason, as I wrote the original hs2-http SAML2 implementation and these comments are also relevant for that. http://gerrit.cloudera.org:8080/#/c/23237/13/be/src/rpc/authentication-util.cc File be/src/rpc/authentication-util.cc: http://gerrit.cloudera.org:8080/#/c/23237/13/be/src/rpc/authentication-util.cc@326 PS13, Line 326: ValidateSaml2Response > This code eventually calls into org.pac4j.saml.sso.impl.SAML2AuthnResponseV IMO in the webserver case the target should be always a specific coordinator (as we are interested in some specific metrics, not getting some resource where the server doesn't matter) For this reason, there shouldn't be a load balancer involved and we shouldn't see the situation described. The original hs2-http case is different, there can be a load balancer, but it should have sticky sessions for Impala, so I also think that we should not bump to this issue. If there is a failover, then it is to client's task to retry the SAML2 auth workflow - this is likely to be simple as they are already logged into the idp in the browser. http://gerrit.cloudera.org:8080/#/c/23237/13/be/src/util/webserver.cc File be/src/util/webserver.cc: http://gerrit.cloudera.org:8080/#/c/23237/13/be/src/util/webserver.cc@373 PS13, Line 373: || use_saml_ > to enforce that SAML must be used by itself Generally there should be always another authentication besides SAML2 browser profile, as the browser profile needs human interaction via the browser, so automated processes can't use it (it is common to poll Impala's webui from software). There are a lot of gaps in Impala's open source test coverage around authentication. In this case I think that it would be nice to test SAML2 in combination with some other auth, but not all combinations - we also don't do that for hs2-http. E.g. I didn't find any JWT + Kerberos or JWT + LDAP tests, while we do allow these combinations: https://github.com/apache/impala/blob/9220b9699fabbcf06b134a023807ce328e43a2ea/be/src/rpc/authentication.cc#L1608 Improving coverage for multiple auth methods would need some reorganization of existing auth tests, as test files are generally specific to one method and contain helper classes to set them up. It seems doable to set up an infrastructure to start Impala with any auth combination and run tests for specific methods using different combinations, but it would be significant work. -- To view, visit http://gerrit.cloudera.org:8080/23237 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I12540300529f9c240abf7196141ecb0ae6e37995 Gerrit-Change-Number: 23237 Gerrit-PatchSet: 14 Gerrit-Owner: Mihaly Szjatinya <[email protected]> Gerrit-Reviewer: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Jason Fehr <[email protected]> Gerrit-Reviewer: Mihaly Szjatinya <[email protected]> Gerrit-Reviewer: Nandor Kollar <[email protected]> Gerrit-Reviewer: Riza Suminto <[email protected]> Gerrit-Comment-Date: Fri, 30 Jan 2026 12:31:18 +0000 Gerrit-HasComments: Yes
