From f49182318bdaddf21c644812ba4255a2e5dda2ed Mon Sep 17 00:00:00 2001 From: remzi <13716567376yh@gmail.com> Date: Sat, 15 Jul 2023 13:17:49 +0800 Subject: [PATCH] [KYUUBI #5050] Add admin checking in `getProxyUser` ### _Why are the changes needed?_ Closes #5050. Check the realUser is an admin or not before verifying proxy access. ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [ ] Add screenshots for manual tests if appropriate - [ ] [Run test](https://kyuubi.readthedocs.io/en/master/contributing/code/testing.html#running-tests) locally before make a pull request Closes #5051 from HaoYang670/5050_check_admin_in_get_proxy_user. Closes #5050 cdabd58d2 [remzi] add admin check Authored-by: remzi <13716567376yh@gmail.com> Signed-off-by: fwang12 --- .../org/apache/kyuubi/server/KyuubiRestFrontendService.scala | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KyuubiRestFrontendService.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KyuubiRestFrontendService.scala index 5b6eb040865..fc9080e6682 100644 --- a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KyuubiRestFrontendService.scala +++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/KyuubiRestFrontendService.scala @@ -235,7 +235,9 @@ class KyuubiRestFrontendService(override val serverable: Serverable) realUser } else { sessionConf.get(KyuubiAuthenticationFactory.HS2_PROXY_USER).map { proxyUser => - KyuubiAuthenticationFactory.verifyProxyAccess(realUser, proxyUser, ipAddress, hadoopConf) + if (!getConf.get(KyuubiConf.SERVER_ADMINISTRATORS).contains(realUser)) { + KyuubiAuthenticationFactory.verifyProxyAccess(realUser, proxyUser, ipAddress, hadoopConf) + } proxyUser }.getOrElse(realUser) }