Details
-
Bug
-
Status: Open
-
Critical
-
Resolution: Unresolved
-
None
-
None
-
None
Description
The Avatica Java client depends on Apache HttpClient's Kerberos/SPNEGO implementation.
According to HTTPCLIENT-1625 that implementation is not secure, and is deprecated in newer versions.
Unfortunately, HTTPCLIENT-1625 is very scant on details, and since the reason given for deprecation is the lack of time to fix it, it is likely not a trivial fix.
Unfortunately, Avatica depends heavily on httpclient, and replacing it would it would be a big job.
While Avatica in theory has a configurable Http Client implementation, the only non-httpclient implementation is more of a POC, and does not support ANY authentication methods.
I can see these options:
1. Find an another http client library, and use it in Avatica
2. Copy the SPENGO auth code from httpclient, and fix it in Avatica
3. Fix the SPENGO auth code in httpclient.
4. Re-Implement SPENGO auth in Avatica (Hadoop does something like that, though I'm, not sure how good that is)
Attachments
Issue Links
- relates to
-
HTTPCLIENT-1625 Completely overhaul GSS-API-based authentication backend
- Resolved
- links to