Hello Impala Public Jenkins, I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/20301 to look at the new patch set (#4). Change subject: IMPALA-12328: New option for impala-shell to send "auth" header in thrift http request ...................................................................... IMPALA-12328: New option for impala-shell to send "auth" header in thrift http request This change introduces a new optional impala-shell option (send_auth_header_for_hiveserver2) to add an 'auth' header to http requests, which is expected in latest hiveserver2 builds when supporting multiple authentication modes at once (see HIVE-27352). The 'auth' header shouldn't be a problem for the impala coordinator, but unfortunately it may prevent authentication due to a buggy header parser code. This change will also fix that bug and introduces new java frontend tests to validate the changes. Some information on the http header parsing bug in THttpServer: Unfortunately, the THRIFT_strncasecmp() function used in the original implementation was true even if the name of the header being processed was a prefix of the header name that is defined in the condition. For example: In the original implementation when processing the http header "auth: anyValue", we run into the code fragment where the Authorization header content is processed, because the condition THRIFT_strncasecmp("auth: anyValue", "Authorization", 4) == 0) is true, since the first 4 characters of the two strings are the same. Unfortunately, this can break authentication if the http request has a header with a name that is a prefix to the word "Authorization". Tested with a snapshot build in a CDP PVC DS environment where both LDAP and Kerberos authentication was enabled: - connected to Impala Coordinator using the impala-shell client with and without the new send_auth_header_for_hiveserver2 option with LDAP authentication and with Kerberos authentication, in python2 and also in python3 environment - connected to Impala Coordinator using beeline and hive jdbc driver with LDAP authentication and with Kerberos authentication, - connected to Impala Coordinator using beeline and impala jdbc driver with LDAP authentication and with Kerberos authentication, - connected to hiveserver2 using the impala-shell client with and without the new send_auth_header_for_hiveserver2 option with LDAP authentication and with Kerberos authentication, in python2 and also in python3 environment Change-Id: I754639cfe3eab0016d09f71ded4821caa357bf87 --- M be/src/transport/THttpServer.cpp M fe/src/test/java/org/apache/impala/customcluster/LdapHS2Test.java M fe/src/test/java/org/apache/impala/customcluster/LdapImpalaShellTest.java M shell/ImpalaHttpClient.py M shell/impala_client.py M shell/impala_shell.py M shell/option_parser.py 7 files changed, 124 insertions(+), 53 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/01/20301/4 -- To view, visit http://gerrit.cloudera.org:8080/20301 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I754639cfe3eab0016d09f71ded4821caa357bf87 Gerrit-Change-Number: 20301 Gerrit-PatchSet: 4 Gerrit-Owner: Gergely Farkas <gfar...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>