[GitHub] incubator-hawq pull request #1339: HAWQ-1036. Implement user impersonation i...
Github user denalex commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1339#discussion_r167117297
--- Diff:
pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/ProtocolData.java
---
@@ -356,6 +361,20 @@ public float getStatsSampleRatio() {
return statsSampleRatio;
}
+private void parseSecurityProperties() {
+// obtain identity of the end-user -- mandatory only when
impersonation is enabled
+if (SecureLogin.isUserImpersonationEnabled()) {
+this.user = getProperty("USER");
+} else {
+this.user = getOptionalProperty("USER");
--- End diff --
the property is part of the InputData, so we fill it up anyways. Disabling
impersonation disables running the request in the SecurityContext of the user,
but user info might be important for some other things (like logging).
---
[GitHub] incubator-hawq pull request #1339: HAWQ-1036. Implement user impersonation i...
Github user shivzone commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1339#discussion_r167091091
--- Diff:
pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/servlet/SecurityServletFilter.java
---
@@ -0,0 +1,114 @@
+package org.apache.hawq.pxf.service.servlet;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hawq.pxf.service.utilities.SecureLogin;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
+import java.lang.reflect.UndeclaredThrowableException;
+
+/**
+ * Listener on lifecycle events of our webapp
+ */
+public class SecurityServletFilter implements Filter {
+
+private static final Log LOG =
LogFactory.getLog(SecurityServletFilter.class);
+private static final String USER_HEADER = "X-GP-USER";
+private static final String MISSING_HEADER_ERROR =
String.format("Header %s is missing in the request", USER_HEADER);
+private static final String EMPTY_HEADER_ERROR = String.format("Header
%s is empty in the request", USER_HEADER);
+
+
--- End diff --
extra newline
---
[GitHub] incubator-hawq pull request #1339: HAWQ-1036. Implement user impersonation i...
Github user shivzone commented on a diff in the pull request: https://github.com/apache/incubator-hawq/pull/1339#discussion_r167092314 --- Diff: pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/servlet/SecurityServletFilter.java --- @@ -0,0 +1,114 @@ +package org.apache.hawq.pxf.service.servlet; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; +import org.apache.hadoop.security.UserGroupInformation; +import org.apache.hawq.pxf.service.utilities.SecureLogin; + +import javax.servlet.*; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import java.io.IOException; +import java.security.PrivilegedExceptionAction; --- End diff -- Order of imports ---
[GitHub] incubator-hawq pull request #1339: HAWQ-1036. Implement user impersonation i...
Github user shivzone commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1339#discussion_r167091345
--- Diff:
pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/servlet/SecurityServletFilter.java
---
@@ -0,0 +1,114 @@
+package org.apache.hawq.pxf.service.servlet;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hawq.pxf.service.utilities.SecureLogin;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.security.PrivilegedExceptionAction;
+import java.lang.reflect.UndeclaredThrowableException;
+
+/**
+ * Listener on lifecycle events of our webapp
+ */
+public class SecurityServletFilter implements Filter {
+
+private static final Log LOG =
LogFactory.getLog(SecurityServletFilter.class);
+private static final String USER_HEADER = "X-GP-USER";
+private static final String MISSING_HEADER_ERROR =
String.format("Header %s is missing in the request", USER_HEADER);
+private static final String EMPTY_HEADER_ERROR = String.format("Header
%s is empty in the request", USER_HEADER);
+
+
+/**
+ * Initializes the filter.
+ *
+ * @param filterConfig
+ */
+@Override
+public void init(FilterConfig filterConfig) throws ServletException {
+}
+
+/**
+ * If user impersonation is configured, examines the request for the
presense of the expected security headers
+ * and create a proxy user to execute further request chain. Responds
with an HTTP error if the header is missing
+ * or the chain processing throws an exception.
+ *
+ * @param request
--- End diff --
Not entirely sure if javadocs will be happy with params without description
---
[GitHub] incubator-hawq pull request #1339: HAWQ-1036. Implement user impersonation i...
Github user shivzone commented on a diff in the pull request:
https://github.com/apache/incubator-hawq/pull/1339#discussion_r167092711
--- Diff:
pxf/pxf-service/src/main/java/org/apache/hawq/pxf/service/utilities/ProtocolData.java
---
@@ -356,6 +361,20 @@ public float getStatsSampleRatio() {
return statsSampleRatio;
}
+private void parseSecurityProperties() {
+// obtain identity of the end-user -- mandatory only when
impersonation is enabled
+if (SecureLogin.isUserImpersonationEnabled()) {
+this.user = getProperty("USER");
+} else {
+this.user = getOptionalProperty("USER");
--- End diff --
Do we need the user property if impersonation is not enabled ?
---
[GitHub] incubator-hawq pull request #1339: HAWQ-1036. Implement user impersonation i...
GitHub user denalex opened a pull request: https://github.com/apache/incubator-hawq/pull/1339 HAWQ-1036. Implement user impersonation in PXF You can merge this pull request into a Git repository by running: $ git pull https://github.com/denalex/incubator-hawq pxf-user Alternatively you can review and apply these changes as the patch at: https://github.com/apache/incubator-hawq/pull/1339.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1339 commit d21091bbc8dae125690c0a48cf25708ffba004fb Author: Alexander Denissov Date: 2017-12-08T01:17:32Z HAWQ-1036. Implement user impersonation in PXF commit 83c9b660911c3fb2de56fa2559021d7fd700c6cb Author: Alexander Denissov Date: 2017-12-13T20:13:11Z substitute protocol version during build commit 4d711b32acc61c53b25041ed7bc0a1354c5bb0d0 Author: Alexander Denissov Date: 2017-12-13T20:52:58Z declared variables as final commit 9df7b824ff89f934d84a61aa230b04694cc4ea96 Author: Alexander Denissov Date: 2017-12-14T23:04:25Z added parameter to the test commit f6979bd5a06949f04ebd569fe60b9039b1058956 Author: Alexander Denissov Date: 2017-12-20T23:02:27Z propagate exception ---
[GitHub] incubator-hawq issue #1338: HAWQ-1586. Update version from 2.2.0.0 to 2.3.0....
Github user jiny2 commented on the issue: https://github.com/apache/incubator-hawq/pull/1338 Merged into master and 2.3.0.0-incubating branches ---
[GitHub] incubator-hawq pull request #1338: HAWQ-1586. Update version from 2.2.0.0 to...
Github user jiny2 closed the pull request at: https://github.com/apache/incubator-hawq/pull/1338 ---
