You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by "James Turton (Jira)" <ji...@apache.org> on 2022/03/16 14:49:00 UTC
[jira] [Resolved] (DRILL-8168) Duplicated attempt to apply inbound impersonation in the REST API
[ https://issues.apache.org/jira/browse/DRILL-8168?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Turton resolved DRILL-8168.
---------------------------------
Resolution: Fixed
> Duplicated attempt to apply inbound impersonation in the REST API
> -----------------------------------------------------------------
>
> Key: DRILL-8168
> URL: https://issues.apache.org/jira/browse/DRILL-8168
> Project: Apache Drill
> Issue Type: Bug
> Components: Web Server
> Affects Versions: 1.20.0
> Reporter: James Turton
> Assignee: James Turton
> Priority: Major
> Fix For: Future
>
>
> When a payload that includes the {{userName}} property is POSTed to /query.json Drill will check for authorisation and, if that's found, replace the username on its UserSession with that of the impersonated user. When a subsequent request arrives Drill will again attempt the same replacement, but now starting from a UserSession user that has already been changed to the impersonated user. This is liable to fail when the impersonated user is not authorised to impersonate themself.
> This has never been an issue in the Web UI because it only presents an opportunity for impersonation when impersonation is enabled _and_ {_}authn is disabled{_}. When authn is disabled, there is no persistent UserSession so it is okay to repeat the username replacement for every request to /query.json. This leaves people who have both impersonation and authn enabled in the lurch.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)