Fix Update user-related HTTP headers to fix impersonation #568
Conversation
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
@hashhar is this something you can help review? Thanks! The CLA has been signed |
There was a problem hiding this comment.
Pull Request Overview
This pull request updates the HTTP header handling to support impersonation with the latest version of Trino. The changes include:
- Adding a new constant (HEADER_ORIGINAL_USER) to represent the original user.
- Updating the client to set HEADER_ORIGINAL_USER and HEADER_USER based on whether an authorization user is provided.
- Adjusting authentication and testing logic to align with the new header mapping.
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| trino/constants.py | Added HEADER_ORIGINAL_USER and removed HEADER_AUTHORIZATION_USER. |
| trino/client.py | Updated header assignment logic to support impersonation. |
| trino/auth.py | Modified user extraction to prioritize HEADER_ORIGINAL_USER. |
| tests/unit/test_client.py | Updated tests to reflect the new header behavior. |
Comments suppressed due to low confidence (2)
trino/client.py:514
- [nitpick] Consider adding an inline comment explaining that if an authorization user is provided, the request is being impersonated, so the original user is preserved in HEADER_ORIGINAL_USER and the impersonating user is sent via HEADER_USER.
if self._client_session.authorization_user is not None:
trino/auth.py:556
- [nitpick] Consider adding a comment to clarify that this prioritization ensures that if HEADER_ORIGINAL_USER exists, it is used to accurately represent the originally authenticated user in impersonation scenarios.
return headers.get(HEADER_ORIGINAL_USER, headers.get(HEADER_USER))
|
@raunaqmorarka @hashhar kind reminder to take a look. This is a significant blocker for anyone using impersonation today |
|
@izeigerman have you signed CLA? Without it, we can't merge this change |
|
@wendigo yes, CLA has been signed and I’ve just joined the trinodb organization. |
|
@cla-bot check |
|
The cla-bot has been summoned, and re-checked this pull request! |
Description
The latest version of Trino changed how the HTTP headers are handled: https://trino.io/docs/current/develop/client-protocol.html#client-request-headers when the server returns the
X-Trino-Set-Authorization-Userheader.Thus, the
X-Trino-Authorization-Userheader is no longer supported. Instead,X-Trino-Usershould be set to the authorization user, and X-Trino-Original-User should be set to the originally authenticated user.Without these changes, the impersonation doesn't work with the latest versions of trino.
Release notes
( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:
* Fix impersonation support