drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DRILL-6283) WebServer stores SPNEGO client principal without taking any conversion rule
Date Mon, 26 Mar 2018 11:36:00 GMT

    [ https://issues.apache.org/jira/browse/DRILL-6283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16413726#comment-16413726
] 

ASF GitHub Bot commented on DRILL-6283:
---------------------------------------

Github user asfgit closed the pull request at:

    https://github.com/apache/drill/pull/1180


> WebServer stores SPNEGO client principal without taking any conversion rule
> ---------------------------------------------------------------------------
>
>                 Key: DRILL-6283
>                 URL: https://issues.apache.org/jira/browse/DRILL-6283
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Web Server
>    Affects Versions: 1.13.0
>            Reporter: Sorabh Hamirwasia
>            Assignee: Sorabh Hamirwasia
>            Priority: Major
>              Labels: ready-to-commit
>             Fix For: 1.14.0
>
>
> Drill's WebServer uses the exact client principal (user1@QA.LAB) as the stored username,
it doesn't provide any configuration to specify rules which can be used to extract desired
username from client's principal.
> For example: default rule provided by HadoopKerberosName extracts only the primary part
(user1) in client principal. 
> Also while checking if authenticated client principal has admin privileges or not it
uses realm (e.g. QA.LAB) information to verify against configured admin user/group list. To
make it consistent with JDBC/ODBC kerberos path, it should use the shortName in client principal
to determine admin privileges.
> Basically server side should store the shortName from client principal extracted based
on configured rule and use that to determine the admin privileges too.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message