Jason Fehr has posted comments on this change. ( http://gerrit.cloudera.org:8080/23237 )
Change subject: IMPALA-14285: Add SAML2 authentication support for Coordinator Web UI ...................................................................... Patch Set 22: (12 comments) http://gerrit.cloudera.org:8080/#/c/23237/22/be/src/rpc/authentication-util.cc File be/src/rpc/authentication-util.cc: http://gerrit.cloudera.org:8080/#/c/23237/22/be/src/rpc/authentication-util.cc@326 PS22, Line 326: Status status = Unused variable "status". http://gerrit.cloudera.org:8080/#/c/23237/22/be/src/rpc/authentication-util.cc@336 PS22, Line 336: Nit: remove extra space. http://gerrit.cloudera.org:8080/#/c/23237/22/be/src/rpc/authentication.cc File be/src/rpc/authentication.cc: http://gerrit.cloudera.org:8080/#/c/23237/22/be/src/rpc/authentication.cc@992 PS22, Line 992: ValidateSaml2AuthnResponseInternal(*request); The "ValidateSaml2AuthnResponseInternal" function can return nullptr. That return needs to be handled here like it was previously: if (UNLIKELY(response_ptr == nullptr)) { return nullptr; } http://gerrit.cloudera.org:8080/#/c/23237/18/be/src/util/webserver.cc File be/src/util/webserver.cc: http://gerrit.cloudera.org:8080/#/c/23237/18/be/src/util/webserver.cc@952 PS18, Line 952: authenticated = true; > It turns out it's not really used for production, I was wrong. Added the fl Done http://gerrit.cloudera.org:8080/#/c/23237/22/be/src/util/webserver.cc File be/src/util/webserver.cc: http://gerrit.cloudera.org:8080/#/c/23237/22/be/src/util/webserver.cc@117 PS22, Line 117: "--webserver_require_spnego."); Need to also note htpasswd cannot be used with SAML. http://gerrit.cloudera.org:8080/#/c/23237/22/be/src/util/webserver.cc@355 PS22, Line 355: // excluding catalogd, statestored and impalad executors Executors, catalogd, and statestored all have debug webUIs, why not include those too since the Jira is not limited to just coordinator UI? http://gerrit.cloudera.org:8080/#/c/23237/22/be/src/util/webserver.cc@940 PS22, Line 940: static constexpr const char kJsonMetricsPath[] = "/jsonmetrics"; : static constexpr const char kBackendsPath[] = "/backends"; : static constexpr const char kVarzPath[] = "/varz"; These three constants need to be shared with the constants passed to the various RegisterUrlCallback() functions to ensure the same paths are used (e.g. in https://github.com/apache/impala/blob/0192436705de1ce8210c0632f08e4e55fb9abd9e/be/src/util/metrics.cc#L144). Also, match constant names to Impala coding standards (https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=65868536#:~:text=classic%20%23include%20guards-,Variable%20Naming,-We%20use%20UPPER_CASE) http://gerrit.cloudera.org:8080/#/c/23237/22/fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateInfoHS2.java File fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateInfoHS2.java: http://gerrit.cloudera.org:8080/#/c/23237/22/fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateInfoHS2.java@20 PS22, Line 20: // copy of https://github.com/vihangk1/hive/blob/master_saml/service/src/java/org/apache/hive/service/auth/saml/HiveSamlRelayStateInfo.java > line too long (139 > 90) Please include the exact commit hash this file was base upon. http://gerrit.cloudera.org:8080/#/c/23237/22/fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStoreBase.java File fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStoreBase.java: http://gerrit.cloudera.org:8080/#/c/23237/22/fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStoreBase.java@38 PS22, Line 38: StateStore Nit: please consider renaming to HiveSamlRelayStateCacheBase only to avoid confusion with the Impala statestored. http://gerrit.cloudera.org:8080/#/c/23237/22/fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStoreHS2.java File fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStoreHS2.java: http://gerrit.cloudera.org:8080/#/c/23237/22/fe/src/main/java/org/apache/impala/authentication/saml/HiveSamlRelayStateStoreHS2.java@24 PS22, Line 24: // slightly modified copy of https://github.com/vihangk1/hive/blob/master_saml/service/src/java/org/apache/hive/service/auth/saml/HiveSamlRelayStateInfo.java Please include the exact commit hash this file was base upon. http://gerrit.cloudera.org:8080/#/c/23237/22/fe/src/main/java/org/apache/impala/authentication/saml/ImpalaSamlClientHS2.java File fe/src/main/java/org/apache/impala/authentication/saml/ImpalaSamlClientHS2.java: http://gerrit.cloudera.org:8080/#/c/23237/22/fe/src/main/java/org/apache/impala/authentication/saml/ImpalaSamlClientHS2.java@32 PS22, Line 32: // modified version of https://github.com/vihangk1/hive/blob/master_saml/service/src/java/org/apache/hive/service/auth/saml/HiveSaml2Client.java > line too long (144 > 90) Please include the exact commit hash this file was base upon. http://gerrit.cloudera.org:8080/#/c/23237/22/fe/src/main/java/org/apache/impala/authentication/saml/ImpalaSamlClientHS2.java@143 PS22, Line 143: // https://github.com/vihangk1/hive/blob/master_saml/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpServlet.java > line too long (129 > 90) Please include the exact commit hash this file was base upon. -- To view, visit http://gerrit.cloudera.org:8080/23237 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I12540300529f9c240abf7196141ecb0ae6e37995 Gerrit-Change-Number: 23237 Gerrit-PatchSet: 22 Gerrit-Owner: Mihaly Szjatinya <[email protected]> Gerrit-Reviewer: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Jason Fehr <[email protected]> Gerrit-Reviewer: Mihaly Szjatinya <[email protected]> Gerrit-Reviewer: Nandor Kollar <[email protected]> Gerrit-Reviewer: Riza Suminto <[email protected]> Gerrit-Comment-Date: Mon, 01 Jun 2026 18:15:46 +0000 Gerrit-HasComments: Yes
