[
https://issues.apache.org/jira/browse/CALCITE-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15749895#comment-15749895
]
Jerry He commented on CALCITE-1539:
-----------------------------------
Hi, [~elserj]
Thanks for the quick response.
I think the case is when the Knox comes to Avatica/PQS, it will present 'user1'
to the server using a 'doAs=user1' in the query string. On the other hand, the
'knox' user is SPNEGO authenticated to the server. Then we want the server to
get 'user1' as the effective remote user, creates a proxy UGI used on it, and
then GUI.doAs() to the HBase server, for example.
In HIVE-5155 see 2).
The Avatica server should be able to intercept such requirement in the query
string, and let the callback hook (e.g. PQS) decides how to go from there.
> Enable proxy access to Avatica server for third party on behalf of end users
> ----------------------------------------------------------------------------
>
> Key: CALCITE-1539
> URL: https://issues.apache.org/jira/browse/CALCITE-1539
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
> Reporter: Jerry He
> Assignee: Josh Elser
>
> We want to enable proxy access to Avatica server from an end user, but the
> end user comes in via a third party impersonation. For example, Knox and Hue.
> The Knox server user conveys the end user to Avatica.
> Similar things have been done for HBase Rest Sever HBASE-9866 and Hive Server
> HIVE-5155
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
