[jira] [Commented] (CALCITE-1539) Enable proxy access to Avatica server for third party on behalf of end users

Mon, 13 Mar 2017 10:26:46 -0700 

    [ 
https://issues.apache.org/jira/browse/CALCITE-1539?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15907894#comment-15907894
 ] 

Josh Elser commented on CALCITE-1539:
-------------------------------------

Sorry for the delayed response, [~Wancy], I forgot about this one :)

bq. I add another param remoteUserExtractor in the builder, and change method 
withImpersonation() to pass in an additional customer provided 
remoteUserExtractor argument

This sounds right. We want to make sure we only add new methods to the builder 
-- not change any existing ones.

bq. to add the correct remoteUserExtractor in the AvaticaServerConfig, but this 
is only added when it is using spnego authentication. Not sure if impersonation 
is needed for other kinds of authentication.

I think there are two cases which we "can't know" what to do in Avatica.

1. How do we extract the user name from a request (doAs via HTTP request 
parameter in the case you are working towards)
2. What authenticated user is allowed to impersonate another (can Josh 
impersonate Shi? can Josh impersonate Julian? -- these seem very implementation 
specific). I think this also includes the authentication method as well.

I am thinking that this interface I am suggesting would have to include all of 
this information in the callback -- for each request, we would want to delegate 
to the implementation: "is $realuser authenticated via $method allowed to 
impersonate $other_user". e.g. "is Josh authenticated via spnego allowed to 
impersonate Shi?" or "is Shi authenticated via HTTP Basic allowed to 
impersonate Julian?"

Is this clear?

> Enable proxy access to Avatica server for third party on behalf of end users
> ----------------------------------------------------------------------------
>
>                 Key: CALCITE-1539
>                 URL: https://issues.apache.org/jira/browse/CALCITE-1539
>             Project: Calcite
>          Issue Type: Improvement
>          Components: avatica
>            Reporter: Jerry He
>            Assignee: Shi Wang
>         Attachments: 
> 0001-CALCITE-1539-Enable-proxy-access-to-Avatica-server-f.patch, 
> 0001-CALCITE-1539_without_testcase.patch
>
>
> We want to enable proxy access to Avatica server from an end user, but the 
> end user comes in via a third party impersonation.  For example, Knox and Hue.
> The Knox server user conveys the end user to Avatica.
> Similar things have been done for HBase Rest Sever HBASE-9866 and Hive Server 
> HIVE-5155



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to