You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@phoenix.apache.org by Wancy <gi...@git.apache.org> on 2017/06/26 06:35:10 UTC
[GitHub] phoenix pull request #265: PHOENIX-3598
GitHub user Wancy opened a pull request:
https://github.com/apache/phoenix/pull/265
PHOENIX-3598
Add two params "phoenix.queryserver.doAs.enabled" and "phoenix.queryserver.doAs.param" to control whether to get enduser from request parameters and what is the parameter key name.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/Wancy/phoenix master
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/phoenix/pull/265.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #265
----
commit 60b97e1475eedcc8452ba5953d53431988ac9e45
Author: shiwang <sh...@us.ibm.com>
Date: 2017-06-26T06:27:31Z
PHOENIX-3598
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124312271
--- Diff: phoenix-queryserver/src/test/java/org/apache/phoenix/queryserver/server/PhoenixRemoteUserExtractorTest.java ---
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.phoenix.queryserver.server;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.apache.calcite.avatica.server.RemoteUserExtractionException;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
+import org.apache.phoenix.queryserver.server.QueryServer.PhoenixRemoteUserExtractor;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Tests for the RemoteUserExtractor Method Avatica provides for Phoenix to implement.
+ */
+public class PhoenixRemoteUserExtractorTest {
+ private static final Logger LOG = LoggerFactory.getLogger(PhoenixRemoteUserExtractorTest.class);
+
+ @Test
+ public void testUseDoAsSuccess() {
+ HttpServletRequest request = mock(HttpServletRequest.class);
+ when(request.getRemoteUser()).thenReturn("proxyserver");
+ when(request.getParameter("doAs")).thenReturn("enduser");
+ when(request.getRemoteAddr()).thenReturn("localhost:1234");
+
+ Configuration conf = new Configuration(false);
+ conf.set("hadoop.proxyuser.proxyserver.groups", "*");
+ conf.set("hadoop.proxyuser.proxyserver.hosts", "*");
+ conf.set("phoenix.queryserver.doAs.enabled", "true");
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+ PhoenixRemoteUserExtractor extractor = new PhoenixRemoteUserExtractor(conf);
+ try {
+ assertEquals("enduser", extractor.extract(request));
+ } catch (RemoteUserExtractionException e) {
+ LOG.info(e.getMessage());
+ }
+ }
+
+ @Test
+ public void testDoNotUseDoAs() {
--- End diff --
No, there is no getter on the builder to verify it's called. Instead you can use the `Mockito.verify(builder)` method. Something like:
```java
Configuration conf = createTestConfiguration();
Builder b = Mockito.mock(Builder.class);
Mockito.when(b.withRemoteUserExtractor(Mockito.any(PhoenixRemoteUserExtractor.class))).thenReturn(b);
setRemoteUserExtractorIfNecessary(b, conf);
Mockito.verify(b);
```
This should essentially verify that `withRemoteUserExtractor` was invoked by `setRemoteUserExtractorIfNecessary`
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124113023
--- Diff: phoenix-queryserver/src/test/java/org/apache/phoenix/queryserver/server/PhoenixRemoteUserExtractorTest.java ---
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.phoenix.queryserver.server;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.apache.calcite.avatica.server.RemoteUserExtractionException;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
+import org.apache.phoenix.queryserver.server.QueryServer.PhoenixRemoteUserExtractor;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Tests for the RemoteUserExtractor Method Avatica provides for Phoenix to implement.
+ */
+public class PhoenixRemoteUserExtractorTest {
+ private static final Logger LOG = LoggerFactory.getLogger(PhoenixRemoteUserExtractorTest.class);
+
+ @Test
+ public void testUseDoAsSuccess() {
+ HttpServletRequest request = mock(HttpServletRequest.class);
+ when(request.getRemoteUser()).thenReturn("proxyserver");
+ when(request.getParameter("doAs")).thenReturn("enduser");
+ when(request.getRemoteAddr()).thenReturn("localhost:1234");
+
+ Configuration conf = new Configuration(false);
+ conf.set("hadoop.proxyuser.proxyserver.groups", "*");
+ conf.set("hadoop.proxyuser.proxyserver.hosts", "*");
+ conf.set("phoenix.queryserver.doAs.enabled", "true");
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+ PhoenixRemoteUserExtractor extractor = new PhoenixRemoteUserExtractor(conf);
+ try {
+ assertEquals("enduser", extractor.extract(request));
+ } catch (RemoteUserExtractionException e) {
+ LOG.info(e.getMessage());
+ }
+ }
+
+ @Test
+ public void testDoNotUseDoAs() {
--- End diff --
To test this code if you take my above suggestion, you could make a new method in QueryServer which does
```java
Builder setRemoteUserExtractorIfNecessary(Builder b, Configuration conf) {
if (conf.getBoolean(QueryServices.QUERY_SERVER_DOAS_ENABLED_ATTRIB,
QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_ENABLED)) {
return builder.withRemoteUserExtractor(new PhoenixRemoteUserExtractor(getConf()));
}
return builder;
}
```
This would let you easily mock the Builder and verify that your extractor is configured when the property is set to "true".
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124414777
--- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---
@@ -273,6 +282,54 @@ public int run(String[] args) throws Exception {
}
}
+ // add remoteUserExtractor to builder if enabled
+ @VisibleForTesting
+ public void setRemoteUserExtractorIfNecessary(HttpServer.Builder builder, Configuration conf) {
+ if (conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) {
+ builder.withRemoteUserExtractor(new PhoenixRemoteUserExtractor(conf));
+ }
+ }
+
+ /**
+ * Use the correctly way to extract end user.
+ */
+
+ static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+ private final HttpQueryStringParameterRemoteUserExtractor paramRemoteUserExtractor;
+ private final HttpRequestRemoteUserExtractor requestRemoteUserExtractor;
+ private final String userExtractParam;
+
+ public PhoenixRemoteUserExtractor(Configuration conf) {
+ this.requestRemoteUserExtractor = new HttpRequestRemoteUserExtractor();
+ this.userExtractParam = conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM);
+ this.paramRemoteUserExtractor = new HttpQueryStringParameterRemoteUserExtractor(userExtractParam);
+ }
+
+ @Override
+ public String extract(HttpServletRequest request) throws RemoteUserExtractionException {
+ if (request.getParameter(userExtractParam) != null) {
+ String extractedUser = paramRemoteUserExtractor.extract(request);
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
+ UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(extractedUser, ugi);
--- End diff --
Agreed! I think the work you've put in would be nice to support for the non-Kerberos case, but let's not hold up this change for that.
I will try to write up a test case for PQS (mini-hbase, mini-kdc, and PQS) to validate your changes here before I commit.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124110879
--- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---
@@ -274,6 +282,47 @@ public int run(String[] args) throws Exception {
}
/**
+ * Use the correctly way to extract end user.
+ */
+
+ static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+ private final HttpQueryStringParameterRemoteUserExtractor paramRemoteUserExtractor;
+ private final HttpRequestRemoteUserExtractor requestRemoteUserExtractor;
+ private final boolean enableDoAs;
+ private final String doAsParam;
+
+ public PhoenixRemoteUserExtractor(Configuration conf) {
+ this.requestRemoteUserExtractor = new HttpRequestRemoteUserExtractor();
+ this.doAsParam = conf.get(QueryServices.QUERY_SERVER_DOAS_PARAM,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_PARAM);
+ this.paramRemoteUserExtractor = new HttpQueryStringParameterRemoteUserExtractor(doAsParam);
+ this.enableDoAs = conf.getBoolean(QueryServices.QUERY_SERVER_DOAS_ENABLED_ATTRIB,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_ENABLED);
+ }
+
+ @Override
+ public String extract(HttpServletRequest request) throws RemoteUserExtractionException {
+ if (request.getParameter(doAsParam) != null && enableDoAs) {
--- End diff --
This can be simplified when we remove the `enableDoAs` logic.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix issue #265: PHOENIX-3598
Posted by Wancy <gi...@git.apache.org>.
Github user Wancy commented on the issue:
https://github.com/apache/phoenix/pull/265
Thanks @joshelser !!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by Wancy <gi...@git.apache.org>.
Github user Wancy commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124413926
--- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---
@@ -228,7 +235,9 @@ public int run(String[] args) throws Exception {
builder.withSpnego(ugi.getUserName(), additionalAllowedRealms)
.withAutomaticLogin(keytab)
.withImpersonation(new PhoenixDoAsCallback(ugi, getConf()));
+
}
+ setRemoteUserExtractorIfNecessary(builder, getConf());
--- End diff --
Agree to put it inside the if-block for only kerberos case :)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124110721
--- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---
@@ -274,6 +282,47 @@ public int run(String[] args) throws Exception {
}
/**
+ * Use the correctly way to extract end user.
+ */
+
+ static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+ private final HttpQueryStringParameterRemoteUserExtractor paramRemoteUserExtractor;
+ private final HttpRequestRemoteUserExtractor requestRemoteUserExtractor;
+ private final boolean enableDoAs;
+ private final String doAsParam;
+
+ public PhoenixRemoteUserExtractor(Configuration conf) {
+ this.requestRemoteUserExtractor = new HttpRequestRemoteUserExtractor();
+ this.doAsParam = conf.get(QueryServices.QUERY_SERVER_DOAS_PARAM,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_PARAM);
+ this.paramRemoteUserExtractor = new HttpQueryStringParameterRemoteUserExtractor(doAsParam);
+ this.enableDoAs = conf.getBoolean(QueryServices.QUERY_SERVER_DOAS_ENABLED_ATTRIB,
--- End diff --
Can you move this check of whether or not we enable `doAs` above to selectively call `withRemoteUserExtractor`, please?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix issue #265: PHOENIX-3598
Posted by Wancy <gi...@git.apache.org>.
Github user Wancy commented on the issue:
https://github.com/apache/phoenix/pull/265
Hi @joshelser,
I made some changes according to your comments, please review, thanks.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124402049
--- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---
@@ -273,6 +282,54 @@ public int run(String[] args) throws Exception {
}
}
+ // add remoteUserExtractor to builder if enabled
+ @VisibleForTesting
+ public void setRemoteUserExtractorIfNecessary(HttpServer.Builder builder, Configuration conf) {
+ if (conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) {
+ builder.withRemoteUserExtractor(new PhoenixRemoteUserExtractor(conf));
+ }
+ }
+
+ /**
+ * Use the correctly way to extract end user.
+ */
+
+ static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+ private final HttpQueryStringParameterRemoteUserExtractor paramRemoteUserExtractor;
+ private final HttpRequestRemoteUserExtractor requestRemoteUserExtractor;
+ private final String userExtractParam;
+
+ public PhoenixRemoteUserExtractor(Configuration conf) {
+ this.requestRemoteUserExtractor = new HttpRequestRemoteUserExtractor();
+ this.userExtractParam = conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM);
+ this.paramRemoteUserExtractor = new HttpQueryStringParameterRemoteUserExtractor(userExtractParam);
+ }
+
+ @Override
+ public String extract(HttpServletRequest request) throws RemoteUserExtractionException {
+ if (request.getParameter(userExtractParam) != null) {
--- End diff --
We should put a `requestRemoteUserExtractor.extract(request)` at the top of this method implementation. We should be using it in both branches of the conditional (replacing the `request.getRemoteUser()` call you have below)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by Wancy <gi...@git.apache.org>.
Github user Wancy commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124153233
--- Diff: phoenix-queryserver/src/test/java/org/apache/phoenix/queryserver/server/PhoenixRemoteUserExtractorTest.java ---
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to you under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.phoenix.queryserver.server;
+
+import static org.junit.Assert.assertEquals;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import org.apache.calcite.avatica.server.RemoteUserExtractionException;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.hadoop.security.authorize.AuthorizationException;
+import org.apache.hadoop.security.authorize.ProxyUsers;
+import org.apache.phoenix.queryserver.server.QueryServer.PhoenixRemoteUserExtractor;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * Tests for the RemoteUserExtractor Method Avatica provides for Phoenix to implement.
+ */
+public class PhoenixRemoteUserExtractorTest {
+ private static final Logger LOG = LoggerFactory.getLogger(PhoenixRemoteUserExtractorTest.class);
+
+ @Test
+ public void testUseDoAsSuccess() {
+ HttpServletRequest request = mock(HttpServletRequest.class);
+ when(request.getRemoteUser()).thenReturn("proxyserver");
+ when(request.getParameter("doAs")).thenReturn("enduser");
+ when(request.getRemoteAddr()).thenReturn("localhost:1234");
+
+ Configuration conf = new Configuration(false);
+ conf.set("hadoop.proxyuser.proxyserver.groups", "*");
+ conf.set("hadoop.proxyuser.proxyserver.hosts", "*");
+ conf.set("phoenix.queryserver.doAs.enabled", "true");
+ ProxyUsers.refreshSuperUserGroupsConfiguration(conf);
+
+ PhoenixRemoteUserExtractor extractor = new PhoenixRemoteUserExtractor(conf);
+ try {
+ assertEquals("enduser", extractor.extract(request));
+ } catch (RemoteUserExtractionException e) {
+ LOG.info(e.getMessage());
+ }
+ }
+
+ @Test
+ public void testDoNotUseDoAs() {
--- End diff --
Hi @joshelser,
Is there a way to check if builder called withRemoteUserExtractor or not? I tried used "equals" but there will always be two new builder object to compare. Also there is no getRemoteUserExtractor method for HttpBuilder.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124113153
--- Diff: phoenix-queryserver/pom.xml ---
@@ -147,6 +147,10 @@
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.mockito</groupId>
+ <artifactId>mockito-all</artifactId>
--- End diff --
Needs a `<scope>test</scope>`
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124112286
--- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---
@@ -274,6 +282,47 @@ public int run(String[] args) throws Exception {
}
/**
+ * Use the correctly way to extract end user.
+ */
+
+ static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+ private final HttpQueryStringParameterRemoteUserExtractor paramRemoteUserExtractor;
+ private final HttpRequestRemoteUserExtractor requestRemoteUserExtractor;
+ private final boolean enableDoAs;
+ private final String doAsParam;
+
+ public PhoenixRemoteUserExtractor(Configuration conf) {
+ this.requestRemoteUserExtractor = new HttpRequestRemoteUserExtractor();
+ this.doAsParam = conf.get(QueryServices.QUERY_SERVER_DOAS_PARAM,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_PARAM);
+ this.paramRemoteUserExtractor = new HttpQueryStringParameterRemoteUserExtractor(doAsParam);
+ this.enableDoAs = conf.getBoolean(QueryServices.QUERY_SERVER_DOAS_ENABLED_ATTRIB,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_DOAS_ENABLED);
+ }
+
+ @Override
+ public String extract(HttpServletRequest request) throws RemoteUserExtractionException {
+ if (request.getParameter(doAsParam) != null && enableDoAs) {
+ String doAsUser = paramRemoteUserExtractor.extract(request);
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
+ UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(doAsUser, ugi);
+
+ // Check if this user is allowed to be impersonated.
+ // Will throw AuthorizationException if the impersonation as this user is not allowed
+ try {
+ ProxyUsers.authorize(proxyUser, request.getRemoteAddr());
+ return doAsUser;
+ } catch (AuthorizationException e) {
+ throw new RemoteUserExtractionException(e.getMessage());
--- End diff --
Can the exception be passed into the RemoteUserExtractionException instead of just the message? (to preserve the stack trace)
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124409282
--- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---
@@ -228,7 +235,9 @@ public int run(String[] args) throws Exception {
builder.withSpnego(ugi.getUserName(), additionalAllowedRealms)
.withAutomaticLogin(keytab)
.withImpersonation(new PhoenixDoAsCallback(ugi, getConf()));
+
}
+ setRemoteUserExtractorIfNecessary(builder, getConf());
--- End diff --
With respect to my long-winded comment below, if you're only looking to support Kerberos, we want to move this line into the above if-block.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix issue #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on the issue:
https://github.com/apache/phoenix/pull/265
Woops. I forgot to close this via commit message. If you could close it at your convenience, @Wancy, I'd appreciate it!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by Wancy <gi...@git.apache.org>.
Github user Wancy commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124413815
--- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---
@@ -273,6 +282,54 @@ public int run(String[] args) throws Exception {
}
}
+ // add remoteUserExtractor to builder if enabled
+ @VisibleForTesting
+ public void setRemoteUserExtractorIfNecessary(HttpServer.Builder builder, Configuration conf) {
+ if (conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) {
+ builder.withRemoteUserExtractor(new PhoenixRemoteUserExtractor(conf));
+ }
+ }
+
+ /**
+ * Use the correctly way to extract end user.
+ */
+
+ static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+ private final HttpQueryStringParameterRemoteUserExtractor paramRemoteUserExtractor;
+ private final HttpRequestRemoteUserExtractor requestRemoteUserExtractor;
+ private final String userExtractParam;
+
+ public PhoenixRemoteUserExtractor(Configuration conf) {
+ this.requestRemoteUserExtractor = new HttpRequestRemoteUserExtractor();
+ this.userExtractParam = conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM);
+ this.paramRemoteUserExtractor = new HttpQueryStringParameterRemoteUserExtractor(userExtractParam);
+ }
+
+ @Override
+ public String extract(HttpServletRequest request) throws RemoteUserExtractionException {
+ if (request.getParameter(userExtractParam) != null) {
+ String extractedUser = paramRemoteUserExtractor.extract(request);
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
+ UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(extractedUser, ugi);
--- End diff --
Hi @joshelser,
I think I understand your concern of the edge cases. I originally wanna add it just for kerberos cases, but I thought user extract could be extended to simple auth as well in the future, but seems a lot more work needs to be done than I thought. Also like you said most people just want point1.
I think for this jira just add it for the kerberos case is more practical.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by joshelser <gi...@git.apache.org>.
Github user joshelser commented on a diff in the pull request:
https://github.com/apache/phoenix/pull/265#discussion_r124409157
--- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java ---
@@ -273,6 +282,54 @@ public int run(String[] args) throws Exception {
}
}
+ // add remoteUserExtractor to builder if enabled
+ @VisibleForTesting
+ public void setRemoteUserExtractorIfNecessary(HttpServer.Builder builder, Configuration conf) {
+ if (conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) {
+ builder.withRemoteUserExtractor(new PhoenixRemoteUserExtractor(conf));
+ }
+ }
+
+ /**
+ * Use the correctly way to extract end user.
+ */
+
+ static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
+ private final HttpQueryStringParameterRemoteUserExtractor paramRemoteUserExtractor;
+ private final HttpRequestRemoteUserExtractor requestRemoteUserExtractor;
+ private final String userExtractParam;
+
+ public PhoenixRemoteUserExtractor(Configuration conf) {
+ this.requestRemoteUserExtractor = new HttpRequestRemoteUserExtractor();
+ this.userExtractParam = conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM,
+ QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM);
+ this.paramRemoteUserExtractor = new HttpQueryStringParameterRemoteUserExtractor(userExtractParam);
+ }
+
+ @Override
+ public String extract(HttpServletRequest request) throws RemoteUserExtractionException {
+ if (request.getParameter(userExtractParam) != null) {
+ String extractedUser = paramRemoteUserExtractor.extract(request);
+ UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser());
+ UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(extractedUser, ugi);
--- End diff --
In re-reading the above, I'm a little worried about the edge-cases. With PQS right now, we have the following cases "supported"
1) Kerberos+SPNEGO as the Kerberos user (elserj@EXAMPLE.COM authenticates to PQS and the PQS credentials are used to query Phoenix as elserj@EXAMPLE.COM)
2) Kerberos auth with HBase but no SPNEGO for PQS clients (legacy support for how things used to work before the SPNEGO auth was built -- PQS user does everything for users)
3) Without Kerberos, all queries run as the PQS user (out of the box).
Avatica supports more than what point 3 above does, but we haven't prioritized wiring that up as most people just want point 1. @Wancy, I had originally thought you were just trying to enable a PQS client with Kerberos credentials to say that they are someone else (extension of point 1 -- Credentials to PQS are for "elserj" but instead of querying Phoenix as "elserj", query as "bob").
Did you also want this to work for cases when Kerberos is not in the mix? I think that would require some additional changes as I don't think this will work as-is.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] phoenix pull request #265: PHOENIX-3598
Posted by Wancy <gi...@git.apache.org>.
Github user Wancy closed the pull request at:
https://github.com/apache/phoenix/pull/265
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---