Skip to content

Commit

Permalink
[KYUUBI apache#5050] Add admin checking in getProxyUser
Browse files Browse the repository at this point in the history
### _Why are the changes needed?_

Closes apache#5050.
Check the realUser is an admin or not before verifying proxy access.

### _How was this patch tested?_
- [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible

- [ ] Add screenshots for manual tests if appropriate

- [ ] [Run test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests) locally before make a pull request

Closes apache#5051 from HaoYang670/5050_check_admin_in_get_proxy_user.

Closes apache#5050

cdabd58 [remzi] add admin check

Authored-by: remzi <[email protected]>
Signed-off-by: fwang12 <[email protected]>
  • Loading branch information
HaoYang670 authored and turboFei committed Jul 15, 2023
1 parent c224a63 commit f491823
Showing 1 changed file with 3 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,9 @@ class KyuubiRestFrontendService(override val serverable: Serverable)
realUser
} else {
sessionConf.get(KyuubiAuthenticationFactory.HS2_PROXY_USER).map { proxyUser =>
KyuubiAuthenticationFactory.verifyProxyAccess(realUser, proxyUser, ipAddress, hadoopConf)
if (!getConf.get(KyuubiConf.SERVER_ADMINISTRATORS).contains(realUser)) {
KyuubiAuthenticationFactory.verifyProxyAccess(realUser, proxyUser, ipAddress, hadoopConf)
}
proxyUser
}.getOrElse(realUser)
}
Expand Down

0 comments on commit f491823

Please sign in to comment.