Github user joshelser commented on a diff in the pull request: https://github.com/apache/phoenix/pull/265#discussion_r124409157 --- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java --- @@ -273,6 +282,54 @@ public int run(String[] args) throws Exception { } } + // add remoteUserExtractor to builder if enabled + @VisibleForTesting + public void setRemoteUserExtractorIfNecessary(HttpServer.Builder builder, Configuration conf) { + if (conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB, + QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) { + builder.withRemoteUserExtractor(new PhoenixRemoteUserExtractor(conf)); + } + } + + /** + * Use the correctly way to extract end user. + */ + + static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{ + private final HttpQueryStringParameterRemoteUserExtractor paramRemoteUserExtractor; + private final HttpRequestRemoteUserExtractor requestRemoteUserExtractor; + private final String userExtractParam; + + public PhoenixRemoteUserExtractor(Configuration conf) { + this.requestRemoteUserExtractor = new HttpRequestRemoteUserExtractor(); + this.userExtractParam = conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM, + QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM); + this.paramRemoteUserExtractor = new HttpQueryStringParameterRemoteUserExtractor(userExtractParam); + } + + @Override + public String extract(HttpServletRequest request) throws RemoteUserExtractionException { + if (request.getParameter(userExtractParam) != null) { + String extractedUser = paramRemoteUserExtractor.extract(request); + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser()); + UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(extractedUser, ugi); --- End diff -- In re-reading the above, I'm a little worried about the edge-cases. With PQS right now, we have the following cases "supported" 1) Kerberos+SPNEGO as the Kerberos user (els...@example.com authenticates to PQS and the PQS credentials are used to query Phoenix as els...@example.com) 2) Kerberos auth with HBase but no SPNEGO for PQS clients (legacy support for how things used to work before the SPNEGO auth was built -- PQS user does everything for users) 3) Without Kerberos, all queries run as the PQS user (out of the box). Avatica supports more than what point 3 above does, but we haven't prioritized wiring that up as most people just want point 1. @Wancy, I had originally thought you were just trying to enable a PQS client with Kerberos credentials to say that they are someone else (extension of point 1 -- Credentials to PQS are for "elserj" but instead of querying Phoenix as "elserj", query as "bob"). Did you also want this to work for cases when Kerberos is not in the mix? I think that would require some additional changes as I don't think this will work as-is.
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---