Sorabh Hamirwasia created DRILL-6283:
----------------------------------------
Summary: WebServer stores SPNEGO client principal without taking
any conversion rule
Key: DRILL-6283
URL: https://issues.apache.org/jira/browse/DRILL-6283
Project: Apache Drill
Issue Type: Bug
Components: Web Server
Affects Versions: 1.13.0
Reporter: Sorabh Hamirwasia
Assignee: Sorabh Hamirwasia
Fix For: 1.14.0
Drill's WebServer uses the exact client principal (us...@qa.lab) as the stored
username, it doesn't provide any configuration to specify rules which can be
used to extract desired username from client's principal.
For example: default rule provided by HadoopKerberosName extracts only the
primary part (user1) in client principal.
Also while checking if authenticated client principal has admin privileges or
not it uses realm (e.g. QA.LAB) information to verify against configured admin
user/group list. To make it consistent with JDBC/ODBC kerberos path, it should
use the shortName in client principal to determine admin privileges.
Basically server side should store the shortName from client principal
extracted based on configured rule and use that to determine the admin
privileges too.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
