subject:"\[GitHub\] phoenix pull request #265\: PHOENIX\-3598"

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-07-12 Thread Wancy

Github user Wancy closed the pull request at:

https://github.com/apache/phoenix/pull/265


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-27 Thread Wancy

Github user Wancy commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124413926
  
--- Diff: 
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
 ---
@@ -228,7 +235,9 @@ public int run(String[] args) throws Exception {
 builder.withSpnego(ugi.getUserName(), additionalAllowedRealms)
 .withAutomaticLogin(keytab)
 .withImpersonation(new PhoenixDoAsCallback(ugi, getConf()));
+
   }
+  setRemoteUserExtractorIfNecessary(builder, getConf());
--- End diff --

Agree to put it inside the if-block for only kerberos case :)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-27 Thread Wancy

Github user Wancy commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124413815
  
--- Diff: 
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
 ---
@@ -273,6 +282,54 @@ public int run(String[] args) throws Exception {
 }
   }
 
+  // add remoteUserExtractor to builder if enabled
+  @VisibleForTesting
+  public void setRemoteUserExtractorIfNecessary(HttpServer.Builder 
builder, Configuration conf) {
+if 
(conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB,
+
QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) {
+  builder.withRemoteUserExtractor(new 
PhoenixRemoteUserExtractor(conf));
+}
+  }
+
+  /**
+   * Use the correctly way to extract end user.
+   */
+
+  static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+private final HttpQueryStringParameterRemoteUserExtractor 
paramRemoteUserExtractor;
+private final HttpRequestRemoteUserExtractor 
requestRemoteUserExtractor;
+private final String userExtractParam;
+
+public PhoenixRemoteUserExtractor(Configuration conf) {
+  this.requestRemoteUserExtractor = new 
HttpRequestRemoteUserExtractor();
+  this.userExtractParam = 
conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM,
+  
QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM);
+  this.paramRemoteUserExtractor = new 
HttpQueryStringParameterRemoteUserExtractor(userExtractParam);
+}
+
+@Override
+public String extract(HttpServletRequest request) throws 
RemoteUserExtractionException {
+  if (request.getParameter(userExtractParam) != null) {
+String extractedUser = paramRemoteUserExtractor.extract(request);
+UserGroupInformation ugi = 
UserGroupInformation.createRemoteUser(request.getRemoteUser());
+UserGroupInformation proxyUser = 
UserGroupInformation.createProxyUser(extractedUser, ugi);
--- End diff --

Hi @joshelser,
I think I understand your concern of the edge cases. I originally wanna add 
it just for kerberos cases, but I thought user extract could be extended to 
simple auth as well in the future, but seems a lot more work needs to be done 
than I thought. Also like you said most people just want point1.

I think for this jira just add it for the kerberos case is more practical.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-27 Thread joshelser

Github user joshelser commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124409282
  
--- Diff: 
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
 ---
@@ -228,7 +235,9 @@ public int run(String[] args) throws Exception {
 builder.withSpnego(ugi.getUserName(), additionalAllowedRealms)
 .withAutomaticLogin(keytab)
 .withImpersonation(new PhoenixDoAsCallback(ugi, getConf()));
+
   }
+  setRemoteUserExtractorIfNecessary(builder, getConf());
--- End diff --

With respect to my long-winded comment below, if you're only looking to 
support Kerberos, we want to move this line into the above if-block.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-27 Thread joshelser

Github user joshelser commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124409157
  
--- Diff: 
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
 ---
@@ -273,6 +282,54 @@ public int run(String[] args) throws Exception {
 }
   }
 
+  // add remoteUserExtractor to builder if enabled
+  @VisibleForTesting
+  public void setRemoteUserExtractorIfNecessary(HttpServer.Builder 
builder, Configuration conf) {
+if 
(conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB,
+
QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) {
+  builder.withRemoteUserExtractor(new 
PhoenixRemoteUserExtractor(conf));
+}
+  }
+
+  /**
+   * Use the correctly way to extract end user.
+   */
+
+  static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+private final HttpQueryStringParameterRemoteUserExtractor 
paramRemoteUserExtractor;
+private final HttpRequestRemoteUserExtractor 
requestRemoteUserExtractor;
+private final String userExtractParam;
+
+public PhoenixRemoteUserExtractor(Configuration conf) {
+  this.requestRemoteUserExtractor = new 
HttpRequestRemoteUserExtractor();
+  this.userExtractParam = 
conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM,
+  
QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM);
+  this.paramRemoteUserExtractor = new 
HttpQueryStringParameterRemoteUserExtractor(userExtractParam);
+}
+
+@Override
+public String extract(HttpServletRequest request) throws 
RemoteUserExtractionException {
+  if (request.getParameter(userExtractParam) != null) {
+String extractedUser = paramRemoteUserExtractor.extract(request);
+UserGroupInformation ugi = 
UserGroupInformation.createRemoteUser(request.getRemoteUser());
+UserGroupInformation proxyUser = 
UserGroupInformation.createProxyUser(extractedUser, ugi);
--- End diff --

In re-reading the above, I'm a little worried about the edge-cases. With 
PQS right now, we have the following cases "supported"

1) Kerberos+SPNEGO as the Kerberos user (els...@example.com authenticates 
to PQS and the PQS credentials are used to query Phoenix as els...@example.com)
2) Kerberos auth with HBase but no SPNEGO for PQS clients (legacy support 
for how things used to work before the SPNEGO auth was built -- PQS user does 
everything for users)
3) Without Kerberos, all queries run as the PQS user (out of the box).

Avatica supports more than what point 3 above does, but we haven't 
prioritized wiring that up as most people just want point 1. @Wancy, I had 
originally thought you were just trying to enable a PQS client with Kerberos 
credentials to say that they are someone else (extension of point 1 -- 
Credentials to PQS are for "elserj" but instead of querying Phoenix as 
"elserj", query as "bob").

Did you also want this to work for cases when Kerberos is not in the mix? I 
think that would require some additional changes as I don't think this will 
work as-is.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-27 Thread joshelser

Github user joshelser commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124402049
  
--- Diff: 
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
 ---
@@ -273,6 +282,54 @@ public int run(String[] args) throws Exception {
 }
   }
 
+  // add remoteUserExtractor to builder if enabled
+  @VisibleForTesting
+  public void setRemoteUserExtractorIfNecessary(HttpServer.Builder 
builder, Configuration conf) {
+if 
(conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB,
+
QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) {
+  builder.withRemoteUserExtractor(new 
PhoenixRemoteUserExtractor(conf));
+}
+  }
+
+  /**
+   * Use the correctly way to extract end user.
+   */
+
+  static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+private final HttpQueryStringParameterRemoteUserExtractor 
paramRemoteUserExtractor;
+private final HttpRequestRemoteUserExtractor 
requestRemoteUserExtractor;
+private final String userExtractParam;
+
+public PhoenixRemoteUserExtractor(Configuration conf) {
+  this.requestRemoteUserExtractor = new 
HttpRequestRemoteUserExtractor();
+  this.userExtractParam = 
conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM,
+  
QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM);
+  this.paramRemoteUserExtractor = new 
HttpQueryStringParameterRemoteUserExtractor(userExtractParam);
+}
+
+@Override
+public String extract(HttpServletRequest request) throws 
RemoteUserExtractionException {
+  if (request.getParameter(userExtractParam) != null) {
--- End diff --

We should put a `requestRemoteUserExtractor.extract(request)` at the top of 
this method implementation. We should be using it in both branches of the 
conditional (replacing the `request.getRemoteUser()` call you have below)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-27 Thread joshelser

Github user joshelser commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124312271
  
--- Diff: 
phoenix-queryserver/src/test/java/org/apache/phoenix/queryserver/server/PhoenixRemoteUserExtractorTest.java
 ---
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.phoenix.queryserver.server;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.apache.calcite.avatica.server.RemoteUserExtractionException;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
+import 
org.apache.phoenix.queryserver.server.QueryServer.PhoenixRemoteUserExtractor;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Tests for the RemoteUserExtractor Method Avatica provides for Phoenix 
to implement.
+ */
+public class PhoenixRemoteUserExtractorTest {
+  private static final Logger LOG = 
LoggerFactory.getLogger(PhoenixRemoteUserExtractorTest.class);
+
+  @Test
+  public void testUseDoAsSuccess() {
+HttpServletRequest request = mock(HttpServletRequest.class);
+when(request.getRemoteUser()).thenReturn("proxyserver");
+when(request.getParameter("doAs")).thenReturn("enduser");
+when(request.getRemoteAddr()).thenReturn("localhost:1234");
+
+Configuration conf = new Configuration(false);
+conf.set("hadoop.proxyuser.proxyserver.groups", "*");
+conf.set("hadoop.proxyuser.proxyserver.hosts", "*");
+conf.set("phoenix.queryserver.doAs.enabled", "true");
+ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+PhoenixRemoteUserExtractor extractor = new 
PhoenixRemoteUserExtractor(conf);
+try {
+  assertEquals("enduser", extractor.extract(request));
+} catch (RemoteUserExtractionException e) {
+  LOG.info(e.getMessage());
+}
+  }
+
+  @Test
+  public void testDoNotUseDoAs() {
--- End diff --

No, there is no getter on the builder to verify it's called. Instead you 
can use the `Mockito.verify(builder)` method. Something like:

```java
Configuration conf = createTestConfiguration();
Builder b = Mockito.mock(Builder.class);

Mockito.when(b.withRemoteUserExtractor(Mockito.any(PhoenixRemoteUserExtractor.class))).thenReturn(b);
setRemoteUserExtractorIfNecessary(b, conf);
Mockito.verify(b);
```

This should essentially verify that `withRemoteUserExtractor` was invoked 
by `setRemoteUserExtractorIfNecessary`


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-26 Thread Wancy

Github user Wancy commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124153233
  
--- Diff: 
phoenix-queryserver/src/test/java/org/apache/phoenix/queryserver/server/PhoenixRemoteUserExtractorTest.java
 ---
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.phoenix.queryserver.server;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.apache.calcite.avatica.server.RemoteUserExtractionException;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
+import 
org.apache.phoenix.queryserver.server.QueryServer.PhoenixRemoteUserExtractor;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Tests for the RemoteUserExtractor Method Avatica provides for Phoenix 
to implement.
+ */
+public class PhoenixRemoteUserExtractorTest {
+  private static final Logger LOG = 
LoggerFactory.getLogger(PhoenixRemoteUserExtractorTest.class);
+
+  @Test
+  public void testUseDoAsSuccess() {
+HttpServletRequest request = mock(HttpServletRequest.class);
+when(request.getRemoteUser()).thenReturn("proxyserver");
+when(request.getParameter("doAs")).thenReturn("enduser");
+when(request.getRemoteAddr()).thenReturn("localhost:1234");
+
+Configuration conf = new Configuration(false);
+conf.set("hadoop.proxyuser.proxyserver.groups", "*");
+conf.set("hadoop.proxyuser.proxyserver.hosts", "*");
+conf.set("phoenix.queryserver.doAs.enabled", "true");
+ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+PhoenixRemoteUserExtractor extractor = new 
PhoenixRemoteUserExtractor(conf);
+try {
+  assertEquals("enduser", extractor.extract(request));
+} catch (RemoteUserExtractionException e) {
+  LOG.info(e.getMessage());
+}
+  }
+
+  @Test
+  public void testDoNotUseDoAs() {
--- End diff --

Hi @joshelser,
Is there a way to check if builder called withRemoteUserExtractor or not? I 
tried used "equals" but there will always be two new builder object to compare. 
Also there is no getRemoteUserExtractor method for HttpBuilder.



---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-26 Thread joshelser

Github user joshelser commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124113023
  
--- Diff: 
phoenix-queryserver/src/test/java/org/apache/phoenix/queryserver/server/PhoenixRemoteUserExtractorTest.java
 ---
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.phoenix.queryserver.server;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.apache.calcite.avatica.server.RemoteUserExtractionException;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
+import 
org.apache.phoenix.queryserver.server.QueryServer.PhoenixRemoteUserExtractor;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Tests for the RemoteUserExtractor Method Avatica provides for Phoenix 
to implement.
+ */
+public class PhoenixRemoteUserExtractorTest {
+  private static final Logger LOG = 
LoggerFactory.getLogger(PhoenixRemoteUserExtractorTest.class);
+
+  @Test
+  public void testUseDoAsSuccess() {
+HttpServletRequest request = mock(HttpServletRequest.class);
+when(request.getRemoteUser()).thenReturn("proxyserver");
+when(request.getParameter("doAs")).thenReturn("enduser");
+when(request.getRemoteAddr()).thenReturn("localhost:1234");
+
+Configuration conf = new Configuration(false);
+conf.set("hadoop.proxyuser.proxyserver.groups", "*");
+conf.set("hadoop.proxyuser.proxyserver.hosts", "*");
+conf.set("phoenix.queryserver.doAs.enabled", "true");
+ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+PhoenixRemoteUserExtractor extractor = new 
PhoenixRemoteUserExtractor(conf);
+try {
+  assertEquals("enduser", extractor.extract(request));
+} catch (RemoteUserExtractionException e) {
+  LOG.info(e.getMessage());
+}
+  }
+
+  @Test
+  public void testDoNotUseDoAs() {
--- End diff --

To test this code if you take my above suggestion, you could make a new 
method in QueryServer which does

```java
Builder setRemoteUserExtractorIfNecessary(Builder b, Configuration conf) {
  if (conf.getBoolean(QueryServices.QUERY_SERVER_DOAS_ENABLED_ATTRIB,
  QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_ENABLED)) {
return builder.withRemoteUserExtractor(new 
PhoenixRemoteUserExtractor(getConf()));
  }
  return builder;
}
```

This would let you easily mock the Builder and verify that your extractor 
is configured when the property is set to "true".


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-26 Thread joshelser

Github user joshelser commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124112286
  
--- Diff: 
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
 ---
@@ -274,6 +282,47 @@ public int run(String[] args) throws Exception {
   }
 
   /**
+   * Use the correctly way to extract end user.
+   */
+
+  static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+private final HttpQueryStringParameterRemoteUserExtractor 
paramRemoteUserExtractor;
+private final HttpRequestRemoteUserExtractor 
requestRemoteUserExtractor;
+private final boolean enableDoAs;
+private final String doAsParam;
+
+public PhoenixRemoteUserExtractor(Configuration conf) {
+  this.requestRemoteUserExtractor = new 
HttpRequestRemoteUserExtractor();
+  this.doAsParam = conf.get(QueryServices.QUERY_SERVER_DOAS_PARAM,
+  QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_PARAM);
+  this.paramRemoteUserExtractor = new 
HttpQueryStringParameterRemoteUserExtractor(doAsParam);
+  this.enableDoAs = 
conf.getBoolean(QueryServices.QUERY_SERVER_DOAS_ENABLED_ATTRIB,
+  QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_ENABLED);
+}
+
+@Override
+public String extract(HttpServletRequest request) throws 
RemoteUserExtractionException {
+  if (request.getParameter(doAsParam) != null && enableDoAs) {
+String doAsUser = paramRemoteUserExtractor.extract(request);
+UserGroupInformation ugi = 
UserGroupInformation.createRemoteUser(request.getRemoteUser());
+UserGroupInformation proxyUser = 
UserGroupInformation.createProxyUser(doAsUser, ugi);
+
+// Check if this user is allowed to be impersonated.
+// Will throw AuthorizationException if the impersonation as this 
user is not allowed
+try {
+  ProxyUsers.authorize(proxyUser, request.getRemoteAddr());
+  return doAsUser;
+} catch (AuthorizationException e) {
+  throw new RemoteUserExtractionException(e.getMessage());
--- End diff --

Can the exception be passed into the RemoteUserExtractionException instead 
of just the message? (to preserve the stack trace)


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-26 Thread joshelser

Github user joshelser commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124110879
  
--- Diff: 
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
 ---
@@ -274,6 +282,47 @@ public int run(String[] args) throws Exception {
   }
 
   /**
+   * Use the correctly way to extract end user.
+   */
+
+  static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+private final HttpQueryStringParameterRemoteUserExtractor 
paramRemoteUserExtractor;
+private final HttpRequestRemoteUserExtractor 
requestRemoteUserExtractor;
+private final boolean enableDoAs;
+private final String doAsParam;
+
+public PhoenixRemoteUserExtractor(Configuration conf) {
+  this.requestRemoteUserExtractor = new 
HttpRequestRemoteUserExtractor();
+  this.doAsParam = conf.get(QueryServices.QUERY_SERVER_DOAS_PARAM,
+  QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_PARAM);
+  this.paramRemoteUserExtractor = new 
HttpQueryStringParameterRemoteUserExtractor(doAsParam);
+  this.enableDoAs = 
conf.getBoolean(QueryServices.QUERY_SERVER_DOAS_ENABLED_ATTRIB,
+  QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_ENABLED);
+}
+
+@Override
+public String extract(HttpServletRequest request) throws 
RemoteUserExtractionException {
+  if (request.getParameter(doAsParam) != null && enableDoAs) {
--- End diff --

This can be simplified when we remove the `enableDoAs` logic.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-26 Thread joshelser

Github user joshelser commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124110721
  
--- Diff: 
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
 ---
@@ -274,6 +282,47 @@ public int run(String[] args) throws Exception {
   }
 
   /**
+   * Use the correctly way to extract end user.
+   */
+
+  static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+private final HttpQueryStringParameterRemoteUserExtractor 
paramRemoteUserExtractor;
+private final HttpRequestRemoteUserExtractor 
requestRemoteUserExtractor;
+private final boolean enableDoAs;
+private final String doAsParam;
+
+public PhoenixRemoteUserExtractor(Configuration conf) {
+  this.requestRemoteUserExtractor = new 
HttpRequestRemoteUserExtractor();
+  this.doAsParam = conf.get(QueryServices.QUERY_SERVER_DOAS_PARAM,
+  QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_PARAM);
+  this.paramRemoteUserExtractor = new 
HttpQueryStringParameterRemoteUserExtractor(doAsParam);
+  this.enableDoAs = 
conf.getBoolean(QueryServices.QUERY_SERVER_DOAS_ENABLED_ATTRIB,
--- End diff --

Can you move this check of whether or not we enable `doAs` above to 
selectively call `withRemoteUserExtractor`, please?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-26 Thread joshelser

Github user joshelser commented on a diff in the pull request:

https://github.com/apache/phoenix/pull/265#discussion_r124113153
  
--- Diff: phoenix-queryserver/pom.xml ---
@@ -147,6 +147,10 @@
   commons-logging
   commons-logging
 
+
+  org.mockito
+  mockito-all
--- End diff --

Needs a `test`


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

2017-06-26 Thread Wancy

GitHub user Wancy opened a pull request:

https://github.com/apache/phoenix/pull/265

PHOENIX-3598

Add two params "phoenix.queryserver.doAs.enabled" and 
"phoenix.queryserver.doAs.param" to control whether to get enduser from request 
parameters and what is the parameter key name.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/Wancy/phoenix master

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/phoenix/pull/265.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #265


commit 60b97e1475eedcc8452ba5953d53431988ac9e45
Author: shiwang 
Date:   2017-06-26T06:27:31Z

PHOENIX-3598




---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

[GitHub] phoenix pull request #265: PHOENIX-3598

14 matches

Site Navigation

Mail list logo

Footer information