[
https://issues.apache.org/jira/browse/CALCITE-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15749872#comment-15749872
]
Josh Elser commented on CALCITE-1539:
-------------------------------------
HI [~jinghe]!
bq. We want to enable proxy access to Avatica server from an end user, but the
end user comes in via a third party impersonation
Can you describe the scenarios for how this works now? Funnily enough, I've
been recently playing around with Knox this week.
For context, when using Kerberos authentication (via SPNEGO in Avatica),
there's a hook that Phoenix overrides which allows the standard {{UGI.doAs()}}
logic to take place. I'm not sure what other kinds of proxy access are
"standard" with Knox or Hue though.
https://github.com/apache/phoenix/blob/master/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java#L227
and
https://github.com/apache/phoenix/blob/master/phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java#L276-L325
is what currently exists.
> Enable proxy access to Avatica server for third party on behalf of end users
> ----------------------------------------------------------------------------
>
> Key: CALCITE-1539
> URL: https://issues.apache.org/jira/browse/CALCITE-1539
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
> Reporter: Jerry He
> Assignee: Josh Elser
>
> We want to enable proxy access to Avatica server from an end user, but the
> end user comes in via a third party impersonation. For example, Knox and Hue.
> The Knox server user conveys the end user to Avatica.
> Similar things have been done for HBase Rest Sever HBASE-9866 and Hive Server
> HIVE-5155
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
