Github user Wancy commented on a diff in the pull request:

    https://github.com/apache/phoenix/pull/265#discussion_r124413815
  
    --- Diff: 
phoenix-queryserver/src/main/java/org/apache/phoenix/queryserver/server/QueryServer.java
 ---
    @@ -273,6 +282,54 @@ public int run(String[] args) throws Exception {
         }
       }
     
    +  // add remoteUserExtractor to builder if enabled
    +  @VisibleForTesting
    +  public void setRemoteUserExtractorIfNecessary(HttpServer.Builder 
builder, Configuration conf) {
    +    if 
(conf.getBoolean(QueryServices.QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR_ATTRIB,
    +            
QueryServicesOptions.DEFAULT_QUERY_SERVER_WITH_REMOTEUSEREXTRACTOR)) {
    +      builder.withRemoteUserExtractor(new 
PhoenixRemoteUserExtractor(conf));
    +    }
    +  }
    +
    +  /**
    +   * Use the correctly way to extract end user.
    +   */
    +
    +  static class PhoenixRemoteUserExtractor implements RemoteUserExtractor{
    +    private final HttpQueryStringParameterRemoteUserExtractor 
paramRemoteUserExtractor;
    +    private final HttpRequestRemoteUserExtractor 
requestRemoteUserExtractor;
    +    private final String userExtractParam;
    +
    +    public PhoenixRemoteUserExtractor(Configuration conf) {
    +      this.requestRemoteUserExtractor = new 
HttpRequestRemoteUserExtractor();
    +      this.userExtractParam = 
conf.get(QueryServices.QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM,
    +              
QueryServicesOptions.DEFAULT_QUERY_SERVER_REMOTEUSEREXTRACTOR_PARAM);
    +      this.paramRemoteUserExtractor = new 
HttpQueryStringParameterRemoteUserExtractor(userExtractParam);
    +    }
    +
    +    @Override
    +    public String extract(HttpServletRequest request) throws 
RemoteUserExtractionException {
    +      if (request.getParameter(userExtractParam) != null) {
    +        String extractedUser = paramRemoteUserExtractor.extract(request);
    +        UserGroupInformation ugi = 
UserGroupInformation.createRemoteUser(request.getRemoteUser());
    +        UserGroupInformation proxyUser = 
UserGroupInformation.createProxyUser(extractedUser, ugi);
    --- End diff --
    
    Hi @joshelser,
    I think I understand your concern of the edge cases. I originally wanna add 
it just for kerberos cases, but I thought user extract could be extended to 
simple auth as well in the future, but seems a lot more work needs to be done 
than I thought. Also like you said most people just want point1.
    
    I think for this jira just add it for the kerberos case is more practical.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---

Reply via email to