danhuawang opened a new issue, #11615:
URL: https://github.com/apache/gravitino/issues/11615

   ### What would you like to be improved?
   
   When the `idp-basic` plugin is enabled, users are currently required to 
manually ensure that `gravitino.authenticators` does not include `simple`. 
While there is already a startup validation that catches this misconfiguration 
and fails fast, the user experience can be further improved.
   
   From a user perspective, enabling a built-in IdP should be a single-step 
operation. Requiring users to understand the incompatibility relationship and 
manually remove `simple` from the authenticators list creates unnecessary 
configuration friction, especially since `simple` is the default authenticator. 
Users expect that enabling a more secure authentication mechanism automatically 
supersedes the less secure default.
   
   ### How should we improve?
   
   When `idp-basic` is enabled, the system should **automatically exclude 
`simple` from the effective authenticators list** at startup, without requiring 
the user to explicitly remove it from the configuration.
   
   Specifically:
   - If `gravitino.authenticators` contains both `simple` and `oauth2` (with 
`idp-basic` enabled), the system should automatically drop `simple` from the 
active authenticator chain and log a warning (e.g., `"simple authenticator 
automatically disabled because idp-basic plugin is active"`).
   - The user's configuration file does not need to be modified — this is a 
runtime behavior adjustment.
   - This removes the current "configuration trap" where users enable IdP but 
forget to remove the default `simple` authenticator.
   
   This approach is more user-friendly than the current fail-fast validation 
because it allows the system to do the right thing automatically while 
informing the user via logs.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to