Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-6283

WebServer stores SPNEGO client principal without taking any conversion rule

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.13.0
    • 1.14.0
    • Web Server

    Description

      Drill's WebServer uses the exact client principal (user1@QA.LAB) as the stored username, it doesn't provide any configuration to specify rules which can be used to extract desired username from client's principal.

      For example: default rule provided by HadoopKerberosName extracts only the primary part (user1) in client principal. 

      Also while checking if authenticated client principal has admin privileges or not it uses realm (e.g. QA.LAB) information to verify against configured admin user/group list. To make it consistent with JDBC/ODBC kerberos path, it should use the shortName in client principal to determine admin privileges.

      Basically server side should store the shortName from client principal extracted based on configured rule and use that to determine the admin privileges too.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            shamirwasia Sorabh Hamirwasia
            shamirwasia Sorabh Hamirwasia
            Arina Ielchiieva Arina Ielchiieva
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment