link3280 commented on PR #2687:
URL: https://github.com/apache/incubator-amoro/pull/2687#issuecomment-2041749691

   @baiyangtx Thanks for your input.
   
   > 1. The HTTP Basic Authentication protocol uses plaintext to transmit 
passwords, which is not a very secure protocol.
   
   Mostly, we should use Basic Authentication with HTTPS instead of HTTP, which 
is a common use case.  For example, 
[Starrocks](https://docs.starrocks.io/docs/reference/HTTP_API/SQL/#authentication-method)
 and 
[Kylin](https://cwiki.apache.org/confluence/display/KYLIN/Access+and+Authentication+API)
 support Basic Authentication.
   
   WRT your concern, please see 
https://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done-over-https
   
   > 2. For REST APIs, authentication only needs to verify that a caller is a 
legal caller. If you need to know which user triggered the call to the REST 
API, there are other mechanisms that can be used to solve this problem.
   
   Yes, Basic Auth only deals with Authn and is compatible with any other Authz 
(of course). But currently Amoro has no Authz functionalities (and I don't see 
the need for it), so the Authz issue could be discussed later if needed.
   
   
   
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to