Hi Janos, LDAP auth works in http mode as well. We have made some enhancements recently: HIveServer2 is now capable of supporting multiple authentication mode. For example: in http mode, you can set it to "LDAP,SAML" We have just added another auth mode (JWT) for http transport via HIVE-25575. So now, we can add "JWT" to this list as well.
While we have checks to set it to something like "KERBEROS,SAML" (KERBEROS in binary mode and SAML is http mode only), I understand your general point about having the ability to use LDAP with binary mode and SAML in http mode. I am not certain this is a huge usecase for us, but if there is general consensus that we need this, we could create a jira around this. My biggest concern with the separation of the properties is backward compatibility. Thank you Naveen On Mon, Mar 28, 2022 at 4:56 AM Stamatis Zampetakis <zabe...@gmail.com> wrote: > Hey Janos, > > You brought up an interesting subject. > > I haven't worked on the code around the authentication process so cannot > foresee the impact on the codebase but high level your idea seems > reasonable to me. > > I would be favorable in such a change but I would definitely like to see > some tests and documentation come along from the one who pushes this > forward. > > Best, > Stamatis > > On Fri, Mar 18, 2022, 6:40 PM Janos Kovacs <kovja...@gmail.com> wrote: > > > Hi, > > > > I just found that while HS2 can do authentication with mixed methods - > like > > Kerberos+LDAP - it only works with the binary protocol. With the > transport > > set to http, the authentication basically works only against what is set > by > > hive.server2.authentication. If e.g. it's set to LDAP, it doesn't try > other > > methods, even if the client is sending the Negotiate headers in the > > request. > > > > While this is something that probably could be fixed, I was thinking > about > > a quick(er) fix that might sounds just a workaround first, but adding the > > fact that HS2 now can do both binary and http transports together > > (HIVE-5312) and that there are other authentication methods which support > > only one type of transports - like SAML works only with http transport -, > > this might be a good enhancement by itself: split the > > hive.server2.authentication between binary and http with introducing > > hive.server2.http.authentication. > > > > If the http transport could be configured independently from the binary > > transport, then HS2 could run in dual-transport mode, e.g. binary > offering > > Kerberos+LDAP while http offering SAML (or any other independent method). > > > > Could you please share your thoughts on splitting the authN method > between > > the two transport modes? > > > > Thanks, Janos > > >
