-
Notifications
You must be signed in to change notification settings - Fork 189
Fix Update user-related HTTP headers to fix impersonation #568
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to [email protected]. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
@hashhar is this something you can help review? Thanks! The CLA has been signed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This pull request updates the HTTP header handling to support impersonation with the latest version of Trino. The changes include:
- Adding a new constant (HEADER_ORIGINAL_USER) to represent the original user.
- Updating the client to set HEADER_ORIGINAL_USER and HEADER_USER based on whether an authorization user is provided.
- Adjusting authentication and testing logic to align with the new header mapping.
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
File | Description |
---|---|
trino/constants.py | Added HEADER_ORIGINAL_USER and removed HEADER_AUTHORIZATION_USER. |
trino/client.py | Updated header assignment logic to support impersonation. |
trino/auth.py | Modified user extraction to prioritize HEADER_ORIGINAL_USER. |
tests/unit/test_client.py | Updated tests to reflect the new header behavior. |
Comments suppressed due to low confidence (2)
trino/client.py:514
- [nitpick] Consider adding an inline comment explaining that if an authorization user is provided, the request is being impersonated, so the original user is preserved in HEADER_ORIGINAL_USER and the impersonating user is sent via HEADER_USER.
if self._client_session.authorization_user is not None:
trino/auth.py:556
- [nitpick] Consider adding a comment to clarify that this prioritization ensures that if HEADER_ORIGINAL_USER exists, it is used to accurately represent the originally authenticated user in impersonation scenarios.
return headers.get(HEADER_ORIGINAL_USER, headers.get(HEADER_USER))
@raunaqmorarka @hashhar kind reminder to take a look. This is a significant blocker for anyone using impersonation today |
@izeigerman have you signed CLA? Without it, we can't merge this change |
@wendigo yes, CLA has been signed and I’ve just joined the trinodb organization. |
@cla-bot check |
The cla-bot has been summoned, and re-checked this pull request! |
Description
The latest version of Trino changed how the HTTP headers are handled: https://trino.io/docs/current/develop/client-protocol.html#client-request-headers when the server returns the
X-Trino-Set-Authorization-User
header.Thus, the
X-Trino-Authorization-User
header is no longer supported. Instead,X-Trino-User
should be set to the authorization user, and X-Trino-Original-User should be set to the originally authenticated user.Without these changes, the impersonation doesn't work with the latest versions of trino.
Release notes
( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:
* Fix impersonation support