[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 5: Verified+1 -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 5 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Tue, 06 Aug 2019 04:14:32 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Impala Public Jenkins has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. IMPALA-8828: Support impersonation via http paths This patch allows clients that connect over the HTTP server to specify the 'doAs' parameter in the provided path in order to perform impersonation. The existing rules for impersonation are applied, i.e. authorized_proxy_user_config or authorized_proxy_group_config must be set with the appropriate values for impersonation to be successful. Testing: - Added a FE test that verifies impersonation works as expected with impala-shell and ldap. - Manually tested with Apache Knox. Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Reviewed-on: http://gerrit.cloudera.org:8080/13994 Reviewed-by: Impala Public Jenkins Tested-by: Impala Public Jenkins --- M be/src/rpc/auth-provider.h M be/src/rpc/authentication.cc M be/src/rpc/thrift-server.h M be/src/service/impala-hs2-server.cc M be/src/transport/THttpServer.cpp M be/src/transport/THttpServer.h M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java 7 files changed, 180 insertions(+), 58 deletions(-) Approvals: Impala Public Jenkins: Looks good to me, approved; Verified -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 6 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 4: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/4145/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 4 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Tue, 06 Aug 2019 00:19:42 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 5: Build started: https://jenkins.impala.io/job/gerrit-verify-dryrun/4735/ DRY_RUN=false -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 5 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Mon, 05 Aug 2019 22:53:45 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 5: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 5 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Mon, 05 Aug 2019 22:53:44 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 4: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 4 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Mon, 05 Aug 2019 22:52:17 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 3: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/4142/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 3 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Mon, 05 Aug 2019 22:51:05 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Hello Tim Armstrong, Impala Public Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/13994 to look at the new patch set (#4). Change subject: IMPALA-8828: Support impersonation via http paths .. IMPALA-8828: Support impersonation via http paths This patch allows clients that connect over the HTTP server to specify the 'doAs' parameter in the provided path in order to perform impersonation. The existing rules for impersonation are applied, i.e. authorized_proxy_user_config or authorized_proxy_group_config must be set with the appropriate values for impersonation to be successful. Testing: - Added a FE test that verifies impersonation works as expected with impala-shell and ldap. - Manually tested with Apache Knox. Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 --- M be/src/rpc/auth-provider.h M be/src/rpc/authentication.cc M be/src/rpc/thrift-server.h M be/src/service/impala-hs2-server.cc M be/src/transport/THttpServer.cpp M be/src/transport/THttpServer.h M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java 7 files changed, 180 insertions(+), 58 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/94/13994/4 -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 4 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Thomas Tauber-Marshall has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 4: > Can we add a test for the error path? Done -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 4 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Mon, 05 Aug 2019 22:37:34 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 3: Can we add a test for the error path? -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 3 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Mon, 05 Aug 2019 22:21:50 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Thomas Tauber-Marshall has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 3: (1 comment) http://gerrit.cloudera.org:8080/#/c/13994/2/be/src/rpc/authentication.cc File be/src/rpc/authentication.cc: http://gerrit.cloudera.org:8080/#/c/13994/2/be/src/rpc/authentication.cc@594 PS2, Line 594: *err_msg = Substitute( > Is this a safe fallback? Done -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 3 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Mon, 05 Aug 2019 22:10:33 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Hello Tim Armstrong, Impala Public Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/13994 to look at the new patch set (#3). Change subject: IMPALA-8828: Support impersonation via http paths .. IMPALA-8828: Support impersonation via http paths This patch allows clients that connect over the HTTP server to specify the 'doAs' parameter in the provided path in order to perform impersonation. The existing rules for impersonation are applied, i.e. authorized_proxy_user_config or authorized_proxy_group_config must be set with the appropriate values for impersonation to be successful. Testing: - Added a FE test that verifies impersonation works as expected with impala-shell and ldap. - Manually tested with Apache Knox. Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 --- M be/src/rpc/auth-provider.h M be/src/rpc/authentication.cc M be/src/rpc/thrift-server.h M be/src/service/impala-hs2-server.cc M be/src/transport/THttpServer.cpp M be/src/transport/THttpServer.h M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java 7 files changed, 174 insertions(+), 58 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/94/13994/3 -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 3 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 2: (1 comment) http://gerrit.cloudera.org:8080/#/c/13994/2/be/src/rpc/authentication.cc File be/src/rpc/authentication.cc: http://gerrit.cloudera.org:8080/#/c/13994/2/be/src/rpc/authentication.cc@594 PS2, Line 594: LOG(WARNING) << "Could not decode 'doAs' parameter from HTTP request with " Is this a safe fallback? If we ignore the doAs user, couldn't the client execute operations as the delegating user, who might be more privileged? Seems like we might actually have to set an error flag on connection_context and bubble back an error to avoid this. There's an argument that this is not our problem - Apache Knox or whatever other system that is doing the delegation needs to get this security-critical stuff right. But it still seems better to me to fail safe in this case. -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 2 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Mon, 05 Aug 2019 20:42:04 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 2: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/4138/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 2 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Thomas Tauber-Marshall Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Mon, 05 Aug 2019 20:20:17 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Thomas Tauber-Marshall has posted comments on this change. (
http://gerrit.cloudera.org:8080/13994 )
Change subject: IMPALA-8828: Support impersonation via http paths
..
Patch Set 2:
(3 comments)
http://gerrit.cloudera.org:8080/#/c/13994/1/be/src/rpc/authentication.cc
File be/src/rpc/authentication.cc:
http://gerrit.cloudera.org:8080/#/c/13994/1/be/src/rpc/authentication.cc@591
PS1, Line 591: if (key_value.size() == 2 && key_value[0] == "doAs") {
> Should we UrlDecode() the username? I was comparing this code to the code i
Done
http://gerrit.cloudera.org:8080/#/c/13994/1/be/src/rpc/authentication.cc@1091
PS1, Line 1091:
> Maybe comment to indicate why it was left blank?
Done
http://gerrit.cloudera.org:8080/#/c/13994/1/be/src/service/impala-hs2-server.cc
File be/src/service/impala-hs2-server.cc:
http://gerrit.cloudera.org:8080/#/c/13994/1/be/src/service/impala-hs2-server.cc@312
PS1, Line 312: const ThriftServer::ConnectionContext* connection_context =
> line too long (105 > 90)
Done
--
To view, visit http://gerrit.cloudera.org:8080/13994
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6
Gerrit-Change-Number: 13994
Gerrit-PatchSet: 2
Gerrit-Owner: Thomas Tauber-Marshall
Gerrit-Reviewer: Impala Public Jenkins
Gerrit-Reviewer: Thomas Tauber-Marshall
Gerrit-Reviewer: Tim Armstrong
Gerrit-Comment-Date: Mon, 05 Aug 2019 19:39:25 +
Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Hello Tim Armstrong, Impala Public Jenkins, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/13994 to look at the new patch set (#2). Change subject: IMPALA-8828: Support impersonation via http paths .. IMPALA-8828: Support impersonation via http paths This patch allows clients that connect over the HTTP server to specify the 'doAs' parameter in the provided path in order to perform impersonation. The existing rules for impersonation are applied, i.e. authorized_proxy_user_config or authorized_proxy_group_config must be set with the appropriate values for impersonation to be successful. Testing: - Added a FE test that verifies impersonation works as expected with impala-shell and ldap. - Manually tested with Apache Knox. Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 --- M be/src/rpc/auth-provider.h M be/src/rpc/authentication.cc M be/src/rpc/thrift-server.h M be/src/service/impala-hs2-server.cc M be/src/transport/THttpServer.cpp M be/src/transport/THttpServer.h M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java 7 files changed, 168 insertions(+), 58 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/94/13994/2 -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 2 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tim Armstrong
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Tim Armstrong has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 1: (2 comments) http://gerrit.cloudera.org:8080/#/c/13994/1/be/src/rpc/authentication.cc File be/src/rpc/authentication.cc: http://gerrit.cloudera.org:8080/#/c/13994/1/be/src/rpc/authentication.cc@591 PS1, Line 591: connection_context->do_as_user = key_value[1]; Should we UrlDecode() the username? I was comparing this code to the code in Webserver::BuildArgumentMap(). I don't know how common special characters in usernames are, but it would be good to handle it correctly. http://gerrit.cloudera.org:8080/#/c/13994/1/be/src/rpc/authentication.cc@1091 PS1, Line 1091: case ThriftServer::BINARY: Maybe comment to indicate why it was left blank? -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 1 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Reviewer: Tim Armstrong Gerrit-Comment-Date: Mon, 05 Aug 2019 17:21:42 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 1: Build Successful https://jenkins.impala.io/job/gerrit-code-review-checks/4129/ : Initial code review checks passed. Use gerrit-verify-dryrun-external or gerrit-verify-dryrun to run full precommit tests. -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 1 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Comment-Date: Fri, 02 Aug 2019 23:39:21 + Gerrit-HasComments: No
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Impala Public Jenkins has posted comments on this change. ( http://gerrit.cloudera.org:8080/13994 ) Change subject: IMPALA-8828: Support impersonation via http paths .. Patch Set 1: (1 comment) http://gerrit.cloudera.org:8080/#/c/13994/1/be/src/service/impala-hs2-server.cc File be/src/service/impala-hs2-server.cc: http://gerrit.cloudera.org:8080/#/c/13994/1/be/src/service/impala-hs2-server.cc@312 PS1, Line 312: const ThriftServer::ConnectionContext* connection_context = ThriftServer::GetThreadConnectionContext(); line too long (105 > 90) -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 1 Gerrit-Owner: Thomas Tauber-Marshall Gerrit-Reviewer: Impala Public Jenkins Gerrit-Comment-Date: Fri, 02 Aug 2019 22:59:48 + Gerrit-HasComments: Yes
[Impala-ASF-CR] IMPALA-8828: Support impersonation via http paths
Thomas Tauber-Marshall has uploaded this change for review. ( http://gerrit.cloudera.org:8080/13994 Change subject: IMPALA-8828: Support impersonation via http paths .. IMPALA-8828: Support impersonation via http paths This patch allows clients that connect over the HTTP server to specify the 'doAs' parameter in the provided path in order to perform impersonation. The existing rules for impersonation are applied, i.e. authorized_proxy_user_config or authorized_proxy_group_config must be set with the appropriate values for impersonation to be successful. Testing: - Added a FE test that verifies impersonation works as expected with impala-shell and ldap. - Manually tested with Apache Knox. Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 --- M be/src/rpc/auth-provider.h M be/src/rpc/authentication.cc M be/src/rpc/thrift-server.h M be/src/service/impala-hs2-server.cc M be/src/transport/THttpServer.cpp M be/src/transport/THttpServer.h M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java 7 files changed, 157 insertions(+), 58 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/94/13994/1 -- To view, visit http://gerrit.cloudera.org:8080/13994 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I20b9c2e2d106530732f1c52f8d3d1ecc24ae4bd6 Gerrit-Change-Number: 13994 Gerrit-PatchSet: 1 Gerrit-Owner: Thomas Tauber-Marshall
