Hi all,
I was hacking on https://issues.apache.org/jira/browse/CALCITE-1173 over
the weekend to add HTTP Basic and Digest auth to Avatica (now that I
laid a lot of groundwork in the SPNEGO/Kerberos task).
I'm wondering how best to handle "Avatica authentication" and "Database
authentication".
Presently, when the user provides a user/password when creating the
Avatica JDBC driver, this is passed directly to the Avatica server, and
is passed along to the "real" JDBC driver (the one talking to the actual
"database"). Should Avatica maintain a separate user/password property
pair for Avatica-centric authentication?
Pros:
* Avatica can provide further control over allowed users than the
database alone (e.g. a valid db user may not be allowed to use Avatica).
Cons:
* Users must provide two sets of credentials (e.g. user/password and
avatica_user/avatica_password)) to differentiate between what is for
Avatica and what is for the "real" JDBC driver.
I'm not sure which is the better approach to take. The latter definitely
has the flexibility, but I'm wondering if it would be confusing with
other tools (since it's not following "normal JDBC conventions"). Either
approach is relatively simple to implement in Avatica, so that's not a
big decision-factor.
- Josh
- Thoughts on Avatica user auth? Josh Elser
-
