drill-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vitalii Diravka (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (DRILL-6283) WebServer stores SPNEGO client principal without taking any conversion rule
Date Mon, 26 Mar 2018 12:01:01 GMT

    [ https://issues.apache.org/jira/browse/DRILL-6283?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16413736#comment-16413736
] 

Vitalii Diravka edited comment on DRILL-6283 at 3/26/18 12:00 PM:
------------------------------------------------------------------

Merged into Apache Drill master branch with commit id 36aa757911b3953b1edc864e585015e06b1d5dfd


was (Author: vitalii):
Merged into Apache Drill master branch with commit id 46281d250077d220c3737477ec43e69fe1e0fc79

> WebServer stores SPNEGO client principal without taking any conversion rule
> ---------------------------------------------------------------------------
>
>                 Key: DRILL-6283
>                 URL: https://issues.apache.org/jira/browse/DRILL-6283
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Web Server
>    Affects Versions: 1.13.0
>            Reporter: Sorabh Hamirwasia
>            Assignee: Sorabh Hamirwasia
>            Priority: Major
>              Labels: ready-to-commit
>             Fix For: 1.14.0
>
>
> Drill's WebServer uses the exact client principal (user1@QA.LAB) as the stored username,
it doesn't provide any configuration to specify rules which can be used to extract desired
username from client's principal.
> For example: default rule provided by HadoopKerberosName extracts only the primary part
(user1) in client principal. 
> Also while checking if authenticated client principal has admin privileges or not it
uses realm (e.g. QA.LAB) information to verify against configured admin user/group list. To
make it consistent with JDBC/ODBC kerberos path, it should use the shortName in client principal
to determine admin privileges.
> Basically server side should store the shortName from client principal extracted based
on configured rule and use that to determine the admin privileges too.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message