link3280 commented on PR #2687: URL: https://github.com/apache/incubator-amoro/pull/2687#issuecomment-2041749691
@baiyangtx Thanks for your input. > 1. The HTTP Basic Authentication protocol uses plaintext to transmit passwords, which is not a very secure protocol. Mostly, we should use Basic Authentication with HTTPS instead of HTTP, which is a common use case. For example, [Starrocks](https://docs.starrocks.io/docs/reference/HTTP_API/SQL/#authentication-method) and [Kylin](https://cwiki.apache.org/confluence/display/KYLIN/Access+and+Authentication+API) support Basic Authentication. WRT your concern, please see https://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done-over-https > 2. For REST APIs, authentication only needs to verify that a caller is a legal caller. If you need to know which user triggered the call to the REST API, there are other mechanisms that can be used to solve this problem. Yes, Basic Auth only deals with Authn and is compatible with any other Authz (of course). But currently Amoro has no Authz functionalities (and I don't see the need for it), so the Authz issue could be discussed later if needed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
