[jira] [Commented] (CALCITE-1539) Enable proxy access to Avatica server for third party on behalf of end users

Wed, 14 Dec 2016 16:25:28 -0800 

    [ 
https://issues.apache.org/jira/browse/CALCITE-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15749922#comment-15749922
 ] 

Josh Elser commented on CALCITE-1539:
-------------------------------------

bq. it will present 'user1' to the server using a 'doAs=user1' in the query 
string

Ok, that's easy enough to grab the username from. Do you know if Hue works in 
the same manner? I would guess that picking it off of a header is also not 
unheard of.

Right now the {{DoAsRemoteUserCallback}} that can be passed to the 
{{HttpServer.Builder}} is only used with SPNEGO (see 
{{HttpServer.Builder.buildSpnegoConfiguration(..)}}). I believe we'd want to 
wire it up to the HTTP Basic and Digest authentication "modes" that Avatica 
also support now. Then, add some sort of "PROXY" mode (to encapsulate these 
proxy services that pass authentication in some other way) which can be used 
for Hue, Knox, etc.

The trick here in Avatica is that we have to not think in "terms of Hadoop". 
That is not in the picture at all. We have to think about the backend as any 
RDBMS (or RDBMS-like system). While this makes the scope much more broad, it 
does help in forcing a reusable implementation in most cases.

Are you interested in helping out here, [~jinghe]? I'd be more than happy to 
give you some pointers/help along the way.

> Enable proxy access to Avatica server for third party on behalf of end users
> ----------------------------------------------------------------------------
>
>                 Key: CALCITE-1539
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1539
>             Project: Calcite
>          Issue Type: Improvement
>          Components: avatica
>            Reporter: Jerry He
>            Assignee: Josh Elser
>
> We want to enable proxy access to Avatica server from an end user, but the 
> end user comes in via a third party impersonation.  For example, Knox and Hue.
> The Knox server user conveys the end user to Avatica.
> Similar things have been done for HBase Rest Sever HBASE-9866 and Hive Server 
> HIVE-5155



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to