Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-6283

WebServer stores SPNEGO client principal without taking any conversion rule

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.13.0
    • Fix Version/s: 1.14.0
    • Component/s: Web Server
    • Labels:

      Description

      Drill's WebServer uses the exact client principal (user1@QA.LAB) as the stored username, it doesn't provide any configuration to specify rules which can be used to extract desired username from client's principal.

      For example: default rule provided by HadoopKerberosName extracts only the primary part (user1) in client principal. 

      Also while checking if authenticated client principal has admin privileges or not it uses realm (e.g. QA.LAB) information to verify against configured admin user/group list. To make it consistent with JDBC/ODBC kerberos path, it should use the shortName in client principal to determine admin privileges.

      Basically server side should store the shortName from client principal extracted based on configured rule and use that to determine the admin privileges too.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                shamirwasia Sorabh Hamirwasia
                Reporter:
                shamirwasia Sorabh Hamirwasia
                Reviewer:
                Arina Ielchiieva
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: