Csaba Ringhofer has posted comments on this change. ( http://gerrit.cloudera.org:8080/22986 )
Change subject: IMPALA-14083: Connected user and session user mismatch when cookie based authentication is used with SPNEGO ...................................................................... Patch Set 1: (2 comments) http://gerrit.cloudera.org:8080/#/c/22986/1/be/src/service/impala-hs2-server.cc File be/src/service/impala-hs2-server.cc: http://gerrit.cloudera.org:8080/#/c/22986/1/be/src/service/impala-hs2-server.cc@374 PS1, Line 374: connection_context->server_name == HS2_HTTP_SERVER_NAME) Can't we do this somewhere else, e.g. in CookieAuth? https://github.com/apache/impala/blob/d630d6f8af8cd86a845fc0415c99b8aa6608c28f/be/src/rpc/authentication.cc#L662 I don't know if anyone relies on the structure of Impala security cookies - if not, then it should be safe to store the original auth method used, so we could fill connection_context members based on that. Or just set kerberos_user_short in every case. http://gerrit.cloudera.org:8080/#/c/22986/1/be/src/service/impala-hs2-server.cc@383 PS1, Line 383: threads The threads being important here is strange to me. My understanding is that in Thrift each tcp connection has its dedicated thread, and hs2-http connections may or may not start a new tcp connection in a new RPC. So I think that the main question is not the thread but the connection. -- To view, visit http://gerrit.cloudera.org:8080/22986 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: Id7223e449c32484bfd2295f7a9e728b7c02637e9 Gerrit-Change-Number: 22986 Gerrit-PatchSet: 1 Gerrit-Owner: Abhishek Rawat <[email protected]> Gerrit-Reviewer: Csaba Ringhofer <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Jason Fehr <[email protected]> Gerrit-Comment-Date: Fri, 06 Jun 2025 15:59:08 +0000 Gerrit-HasComments: Yes
