You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/03/15 13:05:00 UTC

[jira] [Commented] (DRILL-8168) Duplicated attempt to apply inbound impersonation in the REST API

    [ https://issues.apache.org/jira/browse/DRILL-8168?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17506898#comment-17506898 ] 

ASF GitHub Bot commented on DRILL-8168:
---------------------------------------

jnturton opened a new pull request #2495:
URL: https://github.com/apache/drill/pull/2495


   # [DRILL-8168](https://issues.apache.org/jira/browse/DRILL-8168): Do not duplicate attempts to impersonate a user in the REST API
   
   ## Description
   When authentication is enabled, the Drill UserSession is persistent and it is only appropriate to modify it for impersonation once.  This adds a check for whether the UserSession needs modifying and avoids any uneeded attempt to do so, thereby fixing the broken scenario
   
   Request 1: UserSession user alice modified to impersonated user bob
   Request 2: UserSession user bob fails to be modified to bob because bob is not authorised to impersonate bob.
   
   ## Documentation
   N/A
   
   ## Testing
   New test for this scenario?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@drill.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Duplicated attempt to apply inbound impersonation in the REST API
> -----------------------------------------------------------------
>
>                 Key: DRILL-8168
>                 URL: https://issues.apache.org/jira/browse/DRILL-8168
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Web Server
>    Affects Versions: 1.20.0
>            Reporter: James Turton
>            Assignee: James Turton
>            Priority: Major
>             Fix For: Future
>
>
> When a payload that includes the {{userName}} property is POSTed to /query.json Drill will check for authorisation and, if that's found, replace the username on its UserSession with that of the impersonated user.  When a subsequent request arrives Drill will again attempt the same replacement, but now starting from a UserSession user that has already been changed to the impersonated user.  This is liable to fail when the impersonated user is not authorised to impersonate themself.
> This has never been an issue in the Web UI because it only presents an opportunity for impersonation when impersonation is enabled _and_ {_}authn is disabled{_}.  When authn is disabled, there is no persistent UserSession so it is okay to repeat the username replacement for every request to /query.json.  This leaves people who have both impersonation and authn enabled in the lurch.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)