okumin commented on code in PR #5870:
URL: https://github.com/apache/hive/pull/5870#discussion_r2152184347
##########
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java:
##########
@@ -431,7 +432,8 @@ public void setThreadFactory(ThreadFactory threadFactory) {
processor = new ThriftHiveMetastore.Processor<>(handler);
LOG.info("Starting DB backed MetaStore Server with generic processor");
boolean jwt = MetastoreConf.getVar(conf,
ConfVars.THRIFT_METASTORE_AUTHENTICATION).equalsIgnoreCase("jwt");
- ServletSecurity security = new ServletSecurity(conf, jwt);
+ AuthType authType = jwt ? AuthType.JWT : AuthType.SIMPLE;
Review Comment:
This line configures [an HTTP server for HiveMetaStore with Thrift over
HTTP](https://github.com/apache/hive/blob/174ff56b77b212bf51ee01587de9cf22e77f2dd3/standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java#L966-L977),
not for Iceberg REST or Properties REST. This change keeps the original
behavior. We can't fully encode `hive.metastore.authentication` there, as it
doesn't have SIMPLE.
As for the necessity of consolidation, I am currently biased toward
separation. Let's say we introduced OAuth 2.0 with OIDC for the Iceberg REST
catalog, and a user wanted to use it. Can all PROPERTIES clients immediately
use OAuth? I am a little skeptical that different HTTP endpoints can share the
same authentication method even if they are on the same machine.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
