[
https://issues.apache.org/jira/browse/IMPALA-11298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17977605#comment-17977605
]
ASF subversion and git services commented on IMPALA-11298:
----------------------------------------------------------
Commit c044bdd49d20a83de3c04f6eeb9f2477eeee4815 in impala's branch
refs/heads/master from Abhishek Rawat
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=c044bdd49 ]
IMPALA-14083: Connected user and session user mismatch when cookie based
authentication is used with SPNEGO
IMPALA-11298 allowed comparing short user name for connected user and
session user to support proxy clients like Hue which could potentially
use different physical hosts for queries/requests from the same session.
When cookie based authentication is used, the 'kerberos_user_short' is
not set on the ConnectionContext and as a result 'connected_user_short'
is not set in SessionState. This can cause a mismatch when comparing
short user names from ConnectionContext and SessionState. This happens
because the original connection authenticated using SPNEGO will have
'kerberos_user_short' in the ConnectionContext, while the other
connections authenticated using cookies won't have 'kerberos_user_short'
set in the ConnectionContext.
This patch addresses this issue by setting 'kerberos_user_short' in
ConnectionContext, when using auth cookies generated post SPNEGO. This
information is retrieved from 'impala.auth' cookie itself, which now
also stores the 'a=<AUTH_MECHANISM>' in the cookie's value.
Testing:
- Added a SpnegoAuthTest which simulates 'knox' like proxy client and
uses SPNEGO to connect to Impala and also uses authentication cookies.
The test runs concurrent sql clients similar to real world scenarios.
Without the fix the test fails with error:
The user authorized on the connection '<username>' does not match the
session username ''
Change-Id: Id7223e449c32484bfd2295f7a9e728b7c02637e9
Reviewed-on: http://gerrit.cloudera.org:8080/22986
Tested-by: Impala Public Jenkins <[email protected]>
Reviewed-by: Jason Fehr <[email protected]>
> Compare only the short username when checking session user against connection
> user
> ----------------------------------------------------------------------------------
>
> Key: IMPALA-11298
> URL: https://issues.apache.org/jira/browse/IMPALA-11298
> Project: IMPALA
> Issue Type: Bug
> Reporter: Vincent Tran
> Assignee: Abhishek Rawat
> Priority: Critical
> Fix For: Impala 4.5.0
>
>
> When checking that the session user matches the user authenticated on the
> connection, the usernames compared include the client hostname and the realm
> {code:java}
> if (!connection_username.empty()
> && session_->connected_user != connection_username) {
> return Status::Expected(TErrorCode::UNAUTHORIZED_SESSION_USER,
> connection_username, session_->connected_user);
> }{code}
> This can result in exceptions like so:
> {noformat}
> The user authorized on the connection 'hue/[email protected]' does
> not match the session username 'hue/[email protected]'{noformat}
> We should convert these to short name before comparing.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
