Hi, I just found that while HS2 can do authentication with mixed methods - like Kerberos+LDAP - it only works with the binary protocol. With the transport set to http, the authentication basically works only against what is set by hive.server2.authentication. If e.g. it's set to LDAP, it doesn't try other methods, even if the client is sending the Negotiate headers in the request.
While this is something that probably could be fixed, I was thinking about a quick(er) fix that might sounds just a workaround first, but adding the fact that HS2 now can do both binary and http transports together (HIVE-5312) and that there are other authentication methods which support only one type of transports - like SAML works only with http transport -, this might be a good enhancement by itself: split the hive.server2.authentication between binary and http with introducing hive.server2.http.authentication. If the http transport could be configured independently from the binary transport, then HS2 could run in dual-transport mode, e.g. binary offering Kerberos+LDAP while http offering SAML (or any other independent method). Could you please share your thoughts on splitting the authN method between the two transport modes? Thanks, Janos
