drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-6283) WebServer stores SPNEGO client principal without taking any conversion rule
Date Mon, 26 Mar 2018 11:36:00 GMT

    [ https://issues.apache.org/jira/browse/DRILL-6283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16413726#comment-16413726

ASF GitHub Bot commented on DRILL-6283:

Github user asfgit closed the pull request at:


> WebServer stores SPNEGO client principal without taking any conversion rule
> ---------------------------------------------------------------------------
>                 Key: DRILL-6283
>                 URL: https://issues.apache.org/jira/browse/DRILL-6283
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Web Server
>    Affects Versions: 1.13.0
>            Reporter: Sorabh Hamirwasia
>            Assignee: Sorabh Hamirwasia
>            Priority: Major
>              Labels: ready-to-commit
>             Fix For: 1.14.0
> Drill's WebServer uses the exact client principal (user1@QA.LAB) as the stored username,
it doesn't provide any configuration to specify rules which can be used to extract desired
username from client's principal.
> For example: default rule provided by HadoopKerberosName extracts only the primary part
(user1) in client principal. 
> Also while checking if authenticated client principal has admin privileges or not it
uses realm (e.g. QA.LAB) information to verify against configured admin user/group list. To
make it consistent with JDBC/ODBC kerberos path, it should use the shortName in client principal
to determine admin privileges.
> Basically server side should store the shortName from client principal extracted based
on configured rule and use that to determine the admin privileges too.

This message was sent by Atlassian JIRA

View raw message