[ https://issues.apache.org/jira/browse/PHOENIX-3598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16065565#comment-16065565 ]
ASF GitHub Bot commented on PHOENIX-3598: ----------------------------------------- Github user joshelser commented on a diff in the pull request: https://github.com/apache/phoenix/pull/265#discussion_r124409157 --- Diff: phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java --- @@ -273,6 +282,54 @@ public int run(String[] args) throws Exception { } } + // add remoteUserExtractor to builder if enabled + @VisibleForTesting + public void setRemoteUserExtractorIfNecessary(HttpServer.Builder builder, Configuration conf) { + if (conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB, + QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) { + builder.withRemoteUserExtractor(new PhoenixRemoteUserExtractor(conf)); + } + } + + /** + * Use the correctly way to extract end user. + */ + + static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{ + private final HttpQueryStringParameterRemoteUserExtractor paramRemoteUserExtractor; + private final HttpRequestRemoteUserExtractor requestRemoteUserExtractor; + private final String userExtractParam; + + public PhoenixRemoteUserExtractor(Configuration conf) { + this.requestRemoteUserExtractor = new HttpRequestRemoteUserExtractor(); + this.userExtractParam = conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM, + QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM); + this.paramRemoteUserExtractor = new HttpQueryStringParameterRemoteUserExtractor(userExtractParam); + } + + @Override + public String extract(HttpServletRequest request) throws RemoteUserExtractionException { + if (request.getParameter(userExtractParam) != null) { + String extractedUser = paramRemoteUserExtractor.extract(request); + UserGroupInformation ugi = UserGroupInformation.createRemoteUser(request.getRemoteUser()); + UserGroupInformation proxyUser = UserGroupInformation.createProxyUser(extractedUser, ugi); --- End diff -- In re-reading the above, I'm a little worried about the edge-cases. With PQS right now, we have the following cases "supported" 1) Kerberos+SPNEGO as the Kerberos user (els...@example.com authenticates to PQS and the PQS credentials are used to query Phoenix as els...@example.com) 2) Kerberos auth with HBase but no SPNEGO for PQS clients (legacy support for how things used to work before the SPNEGO auth was built -- PQS user does everything for users) 3) Without Kerberos, all queries run as the PQS user (out of the box). Avatica supports more than what point 3 above does, but we haven't prioritized wiring that up as most people just want point 1. @Wancy, I had originally thought you were just trying to enable a PQS client with Kerberos credentials to say that they are someone else (extension of point 1 -- Credentials to PQS are for "elserj" but instead of querying Phoenix as "elserj", query as "bob"). Did you also want this to work for cases when Kerberos is not in the mix? I think that would require some additional changes as I don't think this will work as-is. > Enable proxy access to Phoenix query server for third party on behalf of end > users > ---------------------------------------------------------------------------------- > > Key: PHOENIX-3598 > URL: https://issues.apache.org/jira/browse/PHOENIX-3598 > Project: Phoenix > Issue Type: Improvement > Reporter: Jerry He > Assignee: Shi Wang > Attachments: 0001-PHOENIX-3598.patch > > > This JIRA tracks the follow-on work of CALCITE-1539 needed on Phoenix query > server side. -- This message was sent by Atlassian JIRA (v6.4.14#64029)