Hello Impala Public Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/20301

to look at the new patch set (#4).

Change subject: IMPALA-12328: New option for impala-shell to send "auth" header 
in thrift http request
......................................................................

IMPALA-12328: New option for impala-shell to send "auth" header in thrift
http request

This change introduces a new optional impala-shell option
(send_auth_header_for_hiveserver2) to add an 'auth' header to http
requests, which is expected in latest hiveserver2 builds
when supporting multiple authentication modes at once
(see HIVE-27352).
The 'auth' header shouldn't be a problem for the impala coordinator,
but unfortunately it may prevent authentication due to a buggy header
parser code. This change will also fix that bug and introduces new
java frontend tests to validate the changes.

Some information on the http header parsing bug in THttpServer:
Unfortunately, the THRIFT_strncasecmp() function used in the original
implementation was true even if the name of the header being processed
was a prefix of the header name that is defined in the condition.
For example: In the original implementation when processing the
http header "auth: anyValue", we run into the code fragment where
the Authorization header content is processed, because the condition
THRIFT_strncasecmp("auth: anyValue", "Authorization", 4) == 0)
is true, since the first 4 characters of the two strings are the same.
Unfortunately, this can break authentication if the http request
has a header with a name that is a prefix to the word "Authorization".

Tested with a snapshot build in a CDP PVC DS environment where
both LDAP and Kerberos authentication was enabled:
- connected to Impala Coordinator using the impala-shell client with
and without the new send_auth_header_for_hiveserver2 option
with LDAP authentication and with Kerberos authentication,
in python2 and also in python3 environment
- connected to Impala Coordinator using beeline and hive jdbc driver
with LDAP authentication and with Kerberos authentication,
- connected to Impala Coordinator using beeline and impala jdbc driver
with LDAP authentication and with Kerberos authentication,
- connected to hiveserver2 using the impala-shell client with
and without the new send_auth_header_for_hiveserver2 option
with LDAP authentication and with Kerberos authentication,
in python2 and also in python3 environment

Change-Id: I754639cfe3eab0016d09f71ded4821caa357bf87
---
M be/src/transport/THttpServer.cpp
M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java
M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java
M shell/ImpalaHttpClient.py
M shell/impala_client.py
M shell/impala_shell.py
M shell/option_parser.py
7 files changed, 124 insertions(+), 53 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/01/20301/4
--
To view, visit http://gerrit.cloudera.org:8080/20301
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I754639cfe3eab0016d09f71ded4821caa357bf87
Gerrit-Change-Number: 20301
Gerrit-PatchSet: 4
Gerrit-Owner: Gergely Farkas <gfar...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>

Reply via email to