Sorabh Hamirwasia created DRILL-6283: ----------------------------------------
Summary: WebServer stores SPNEGO client principal without taking any conversion rule Key: DRILL-6283 URL: https://issues.apache.org/jira/browse/DRILL-6283 Project: Apache Drill Issue Type: Bug Components: Web Server Affects Versions: 1.13.0 Reporter: Sorabh Hamirwasia Assignee: Sorabh Hamirwasia Fix For: 1.14.0 Drill's WebServer uses the exact client principal (us...@qa.lab) as the stored username, it doesn't provide any configuration to specify rules which can be used to extract desired username from client's principal. For example: default rule provided by HadoopKerberosName extracts only the primary part (user1) in client principal. Also while checking if authenticated client principal has admin privileges or not it uses realm (e.g. QA.LAB) information to verify against configured admin user/group list. To make it consistent with JDBC/ODBC kerberos path, it should use the shortName in client principal to determine admin privileges. Basically server side should store the shortName from client principal extracted based on configured rule and use that to determine the admin privileges too. -- This message was sent by Atlassian JIRA (v7.6.3#76005)