a2l007 opened a new issue #8931: Make DruidAvaticaHandler extensible to support auth on mTLS JDBC requests URL: https://github.com/apache/incubator-druid/issues/8931 ### Description The proposal is to provide a way to perform custom authentication on jdbc requests primarily in cases where it isn't feasible to use the jdbc context. To do this, I'd like to make `DruidAvaticaHandler` extensible specifically to override the avatica handler method: [AbstractAvaticaHandler.isUserPermitted](https://calcite.apache.org/avatica/apidocs/org/apache/calcite/avatica/server/AbstractAvaticaHandler.html#isUserPermitted(org.apache.calcite.avatica.server.AvaticaServerConfiguration,org.eclipse.jetty.server.Request,javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)) This method may be extended to perform custom authentication on jdbc requests especially in usecases involving mutual TLS JDBC requests. Since it can also handle authentication on jdbc contexts, `Authenticator.authenticateJDBCContext` could be deprecated going forward. ### Motivation With the existing design, it is only possible to authenticate druid SQL queries over JDBC using the jdbc context which uses `Authenticator.authenticateJDBCContext`. For secured clusters using mutual TLS, it may not be possible/recommended to provide additional credentials over jdbc context. @jon-wei Any thoughts on this approach?
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
