danhuawang opened a new issue, #11615: URL: https://github.com/apache/gravitino/issues/11615
### What would you like to be improved? When the `idp-basic` plugin is enabled, users are currently required to manually ensure that `gravitino.authenticators` does not include `simple`. While there is already a startup validation that catches this misconfiguration and fails fast, the user experience can be further improved. From a user perspective, enabling a built-in IdP should be a single-step operation. Requiring users to understand the incompatibility relationship and manually remove `simple` from the authenticators list creates unnecessary configuration friction, especially since `simple` is the default authenticator. Users expect that enabling a more secure authentication mechanism automatically supersedes the less secure default. ### How should we improve? When `idp-basic` is enabled, the system should **automatically exclude `simple` from the effective authenticators list** at startup, without requiring the user to explicitly remove it from the configuration. Specifically: - If `gravitino.authenticators` contains both `simple` and `oauth2` (with `idp-basic` enabled), the system should automatically drop `simple` from the active authenticator chain and log a warning (e.g., `"simple authenticator automatically disabled because idp-basic plugin is active"`). - The user's configuration file does not need to be modified — this is a runtime behavior adjustment. - This removes the current "configuration trap" where users enable IdP but forget to remove the default `simple` authenticator. This approach is more user-friendly than the current fail-fast validation because it allows the system to do the right thing automatically while informing the user via logs. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
