[
https://issues.apache.org/jira/browse/PHOENIX-3598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15934029#comment-15934029
]
Josh Elser commented on PHOENIX-3598:
-------------------------------------
{code}
+ public String extractRemoteUser(HttpServletRequest request) throws
Exception {
+ if (request.getParameter("doAs") != null) {
+ String doAsUser = request.getParameter("doAs");
+ UserGroupInformation proxyUser =
UserGroupInformation.createProxyUser(doAsUser, serverUgi);
+
+ // Check if this user is allowed to be impersonated.
+ // Will throw AuthorizationException if the impersonation as this user
is not allowed
+ ProxyUsers.authorize(proxyUser, request.getRemoteAddr(););
+ this.remoteUserExtractor = new
HttpQueryStringParameterRemoteUserExtractor();
{code}
This needs to be done via explicit configuration. Otherwise, it's introducing a
security hole.
{code}
+ } else {
+ this.remoteUserExtractor = new HttpRequestRemoteUserExtractor();
+ }
{code}
This is creating a new object unnecessarily for every request to PQS which is
bad. Just create a single instance in the constructor.
> Enable proxy access to Phoenix query server for third party on behalf of end
> users
> ----------------------------------------------------------------------------------
>
> Key: PHOENIX-3598
> URL: https://issues.apache.org/jira/browse/PHOENIX-3598
> Project: Phoenix
> Issue Type: Improvement
> Reporter: Jerry He
> Assignee: Shi Wang
> Attachments: 0001-PHOENIX-3598.patch
>
>
> This JIRA tracks the follow-on work of CALCITE-1539 needed on Phoenix query
> server side.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
