WebServer stores SPNEGO client principal without taking any conversion rule

Drill's WebServer uses the exact client principal (user1@QA.LAB) as the stored username, it doesn't provide any configuration to specify rules which can be used to extract desired username from client's principal.

For example: default rule provided by HadoopKerberosName extracts only the primary part (user1) in client principal. 

Also while checking if authenticated client principal has admin privileges or not it uses realm (e.g. QA.LAB) information to verify against configured admin user/group list. To make it consistent with JDBC/ODBC kerberos path, it should use the shortName in client principal to determine admin privileges.

Basically server side should store the shortName from client principal extracted based on configured rule and use that to determine the admin privileges too.