[
https://issues.apache.org/jira/browse/CALCITE-1025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15056961#comment-15056961
]
Phillip Rhodes commented on CALCITE-1025:
-----------------------------------------
This particular patch adds no new dependencies, but it doesn't do that much
either. It's really the minimal work needed to allow the username/password
supplied to the JDBC driver to be used as credentials for an HTTP proxy. It
doesn't attempt to handle more sophisticated cases, like, for example, the case
where the database on the other side of the connection requires a
username/password and the proxy in-between requires different credentials.
But since Phoenix doesn't (as of now anyway) do any authentication at the HTTP
level, this lets people put Knox in front of Phoenix and still do authenticated
JDBC.
Of course Calcite/Avatica is broader than just Phoenix JDBC, but as far as I
can tell, at worst this change will cause no impact on other uses of
Calcite/Avatica. Extending Calcite/Avatica to have a more general-purpose way
of dealing with authentication is, to my mind, a separate issue.
> Add support for HTTP Basic auth (for proxies) in Avatica HTTP Client
> --------------------------------------------------------------------
>
> Key: CALCITE-1025
> URL: https://issues.apache.org/jira/browse/CALCITE-1025
> Project: Calcite
> Issue Type: Improvement
> Components: avatica
> Reporter: Phillip Rhodes
> Assignee: Julian Hyde
> Attachments: AvaticaConnection.patch, Driver.patch,
> RemoteService.patch, http_auth_patch.patch, patch_against_1.2.0.patch
>
>
> Avatica serves as the base for the Phoenix "thin" JDBC driver, and supports a
> JSON over HTTP protocol. Being that it is HTTP, it would be desirable to
> support standard HTTP mechanisms like HTTP BASIC authentication, which is
> required by some proxy servers (for example, Knox).
> In particular, I've been working on deploying Phoenix behind Knox with Knox
> mediating JDBC access using the "thin" driver based on Avatica. In order to
> make this work, I had to make a small change to Avatica in order to take the
> supplied credentials and construct an Authorization header, and add it to the
> HTTP request.
> I have made this change and verified that it works, and would like to propose
> merging it into the Avatica source. I have two versions, one made against
> HEAD and another which is a backport to an older version of Avatica (turns
> out this was needed for the specific environment we were deploying in).
> It is a fairly small change, totaling about 10-15 lines of code, and - as far
> as I can tell - should be totally non-invasive to existing users of Avatica.
> Basically I just add the HTTP Authorization header IF a username/password
> combo is present, and do nothing otherwise. If it is desired, we could also
> wrap this code in a parameter based on a query string parameter or something.
> Maybe "enableProxyAuth=true" or something along those lines.
> I'll attach the actual modified code shortly, but in the meantime wanted to
> start a discussion around this proposed change. I have run this by some
> people inside HortonWorks and they are in favor of implementing this so that
> it can become part of HDP. Being able to use Knox (or, in theory, any other
> proxy server) to mediate JDBC access to Phoenix seems to be a desirable
> thing. Thoughts?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
