Hey Janos, You brought up an interesting subject.
I haven't worked on the code around the authentication process so cannot foresee the impact on the codebase but high level your idea seems reasonable to me. I would be favorable in such a change but I would definitely like to see some tests and documentation come along from the one who pushes this forward. Best, Stamatis On Fri, Mar 18, 2022, 6:40 PM Janos Kovacs <kovja...@gmail.com> wrote: > Hi, > > I just found that while HS2 can do authentication with mixed methods - like > Kerberos+LDAP - it only works with the binary protocol. With the transport > set to http, the authentication basically works only against what is set by > hive.server2.authentication. If e.g. it's set to LDAP, it doesn't try other > methods, even if the client is sending the Negotiate headers in the > request. > > While this is something that probably could be fixed, I was thinking about > a quick(er) fix that might sounds just a workaround first, but adding the > fact that HS2 now can do both binary and http transports together > (HIVE-5312) and that there are other authentication methods which support > only one type of transports - like SAML works only with http transport -, > this might be a good enhancement by itself: split the > hive.server2.authentication between binary and http with introducing > hive.server2.http.authentication. > > If the http transport could be configured independently from the binary > transport, then HS2 could run in dual-transport mode, e.g. binary offering > Kerberos+LDAP while http offering SAML (or any other independent method). > > Could you please share your thoughts on splitting the authN method between > the two transport modes? > > Thanks, Janos >
