[ https://issues.apache.org/jira/browse/HIVE-4232?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13622931#comment-13622931 ]
Chris Drome commented on HIVE-4232: ----------------------------------- I was thinking about this a little more and would like to summarize the current state: hive-site.xml -> transport -> JDBC connection string 1. hive.server2.authentication=NOSASL -> raw transport -> jdbc:hive2://host:port/dbname;auth=noSasl 2. hive.server2.authentication=NONE -> plain SASL transport -> jdbc:hive2://host:port/dbname (*DEFAULT*) 3. hive.server2.authentication=KERBEROS -> Kerberos SASL transport -> jdbc:hive2://host:port/dbname;principal=<principal> So we need to set auth=noSasl to disable SASL instead of auth=plainsasl|kerberos to enable SASL. Now if the server is set to Kerberos, then the client still has to know this because it if they exclude the principal parameter it will happily initialize a plain SASL transport because the code infers SASL/Kerberos based on the existence of that value. Granted, in this case the connection throws an exception. If it was a requirement to include say auth=plainsasl|kerberos in the connection string, then the code wouldn't have to guess what the intent was and could communicate an error if auth=kerberos and principal is not present. Furthermore, from what I can see, the plain SASL is really just a no-op as it is not doing anything when authentication=NONE. In the end, it comes down to the fact that the client still needs to know the authentication method of the server. That is why I asked whether we had data about the average use case. Do we know how often people are using raw vs plain vs kerberos? It seems that the real issue is that a SASL transport doesn't play nicely with a raw transport. If it would be possible to remove the need to support the raw transport, that would resolve this discussion. Even the raw transport much speak thrift, so that isn't an issue. Rather it is a question of whether client should be forced to implement a SASL transport. > JDBC2 HiveConnection has odd defaults > ------------------------------------- > > Key: HIVE-4232 > URL: https://issues.apache.org/jira/browse/HIVE-4232 > Project: Hive > Issue Type: Bug > Components: HiveServer2, JDBC > Affects Versions: 0.11.0 > Reporter: Chris Drome > Assignee: Chris Drome > Fix For: 0.11.0 > > Attachments: HIVE-4232-1.patch, HIVE-4232.patch > > > HiveConnection defaults to using a plain SASL transport if auth is not set. > To get a raw transport auth must be set to noSasl; furthermore noSasl is case > sensitive. Code tries to infer Kerberos or plain authentication based on the > presence of principal. There is no provision for specifying QOP level. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira