Return-Path: <issues-return-43668-archive-asf-public=cust-asf.ponee.io@drill.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 8471B200D10
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri, 25 Aug 2017 20:04:07 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 8353616932C; Fri, 25 Aug 2017 18:04:07 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id AC96F169321
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 25 Aug 2017 20:04:06 +0200 (CEST)
Received: (qmail 51125 invoked by uid 500); 25 Aug 2017 18:04:05 -0000
Mailing-List: contact issues-help@drill.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@drill.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@drill.apache.org>
List-Post: <mailto:issues@drill.apache.org>
List-Id: <issues.drill.apache.org>
Reply-To: dev@drill.apache.org
Delivered-To: mailing list issues@drill.apache.org
Received: (qmail 51092 invoked by uid 99); 25 Aug 2017 18:04:04 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Aug 2017 18:04:04 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 791DAC1B01
	for <issues@drill.apache.org>; Fri, 25 Aug 2017 18:04:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -100.002
X-Spam-Level: 
X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31
	tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001,
	USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id bdRYKWQIpays for <issues@drill.apache.org>;
	Fri, 25 Aug 2017 18:04:03 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id C2B8160E39
	for <issues@drill.apache.org>; Fri, 25 Aug 2017 18:04:02 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 7F239E0931
	for <issues@drill.apache.org>; Fri, 25 Aug 2017 18:04:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 6760B2538D
	for <issues@drill.apache.org>; Fri, 25 Aug 2017 18:04:00 +0000 (UTC)
Date: Fri, 25 Aug 2017 18:04:00 +0000 (UTC)
From: "ASF GitHub Bot (JIRA)" <jira@apache.org>
To: issues@drill.apache.org
Message-ID: <JIRA.13095392.1502988038000.122588.1503684240420@Atlassian.JIRA>
In-Reply-To: <JIRA.13095392.1502988038000@Atlassian.JIRA>
References: <JIRA.13095392.1502988038000@Atlassian.JIRA> <JIRA.13095392.1502988038277@jira-lw-us.apache.org>
Subject: [jira] [Commented] (DRILL-5726) Support Impersonation without
 authentication for REST API
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Fri, 25 Aug 2017 18:04:07 -0000


    [ https://issues.apache.org/jira/browse/DRILL-5726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16141964#comment-16141964 ] 

ASF GitHub Bot commented on DRILL-5726:
---------------------------------------

Github user sohami commented on a diff in the pull request:

    https://github.com/apache/drill/pull/910#discussion_r135193811
  
    --- Diff: exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/DrillRestServer.java ---
    @@ -230,6 +230,27 @@ public WebUserConnection provide() {
         public void dispose(WebUserConnection instance) {
     
         }
    +
    +    /**
    +     * Creates session user principal. If impersonation is enabled without authentication and User-Name header is present and valid,
    +     * will create session user principal with provided user name, otherwise anonymous user name will be used.
    +     * In both cases session user principal will have admin rights.
    +     *
    +     * @param config drill config
    +     * @param request client request
    +     * @return session user principal
    +     */
    +    private Principal createSessionUserPrincipal(DrillConfig config, HttpServletRequest request) {
    +      final boolean checkForUserName = !config.getBoolean(ExecConstants.USER_AUTHENTICATION_ENABLED) && config.getBoolean(ExecConstants.IMPERSONATION_ENABLED);
    +      if (checkForUserName) {
    --- End diff --
    
    In this case it should be enforced that the _User-Name_ is provided in header when used via REST API and from WebUI. Falling back to _anonymous_ user will not help since it will fail during query execution as there won't be any valid user with name _anonymous_ on server side.


> Support Impersonation without authentication for REST API
> ---------------------------------------------------------
>
>                 Key: DRILL-5726
>                 URL: https://issues.apache.org/jira/browse/DRILL-5726
>             Project: Apache Drill
>          Issue Type: Improvement
>    Affects Versions: 1.11.0
>            Reporter: Arina Ielchiieva
>            Assignee: Arina Ielchiieva
>             Fix For: 1.12.0
>
>         Attachments: login_page.JPG, query_page_with_user_name.JPG
>
>
> Today if a user is not authenticated via REST API then there is no way to provide a user name for executing queries. It will by default be executed as "anonymous" user. This doesn't work when impersonation without authentication is enabled on Drill server side, since anonymous user doesn't exist the query will fail. We need a way to provide a user name when impersonation is enabled on Drill side and query is executed from REST API.
> There are two approaches to achieve that:
> *1. Use form-based authentication*
> On Web UI user will be prompted to enter only login, then session for that user will be created, user will be treated as admin. Form-based authentication will cache user information, so user won't need to set user name each time he / she wants to execute the query. Log in / out options will be also available. Example screenshot of login page is attached (login_page.JPG).
> From the programmatic perspective, user would need first to authenticate and use cookie to get query result.
> *2. Use {{User-Name}} header in request*
> On Web UI on Query page additional input field will appear. User would need to enter user name before issuing the query. Example screenshot of query page is attached (query_page_with_user_name.JPG). Under the hood with user name would be added to client request as request header. On server side this header would be used to create user session principal. From the programmatic perspective, user would need to add header when issuing the request.
> *_From the two above options second was chosen as it would ease REST API usage from the programmatic perspective, plus using form-based authentication may lead to false assumption that user is authenticated which is in reality is not true._*
> *Implementation details of the second approach:*
> _Note: the below implementation will take affect only if authentication is disabled and impersonation is enabled. By means of freemarker page won't include js lib and script if condition is not met._
> On the client side additional input field was added to the query page. When client is submitting the query, request would be changed using ajax to add {{User-Name}} header which would be taken from the new input field. On the server side, this header would be used to create session principal with provided user name and admin rights. If user name header was not provided (null or empty), the default anonymous principal will be used.
> *Adding user name header approaches:*
> _Web UI_ 
> enter user name in the User Name input field on Query page before submiiting the query (query_page_with_user_name.JPG)
> _sqlline_
> {code}./drill-localhost -n user1{code}
> _curl_ 
> {code} curl -v -H "Content-Type: application/json" -H "User-Name: user1" -d '{"queryType":"SQL", "query": "select * from sys.version"}' http://localhost:8047/query.json {code}
> _Java way_
> {code}
>     String url = "http://localhost:8047/query.json";
>     URLConnection connection = new URL(url).openConnection();
>     connection.setDoOutput(true); // Triggers POST.
>     connection.addRequestProperty("User-Name", "user1");
>     connection.setRequestProperty("Content-Type", "application/json");
>     String data = "{\"queryType\":\"SQL\", \"query\": \"select * from sys.version\"}";
>     try (OutputStream output = connection.getOutputStream()) {
>       output.write(data.getBytes(StandardCharsets.UTF_8.name()));
>     }
>     try (InputStream response = connection.getInputStream()) {
>       String result = IOUtils.toString(response);
>       System.out.println(result);
>     }
> {code}
> Note: {{Apache HttpClient}} can be used as well.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)