Uploaded image for project: 'Calcite'
  1. Calcite
  2. CALCITE-6364

HttpClient SPENGO support is deprecated

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Critical
    • Resolution: Unresolved
    • None
    • None
    • avatica
    • None

    Description

      The Avatica Java client depends on Apache HttpClient's Kerberos/SPNEGO implementation.
      According to HTTPCLIENT-1625 that implementation is not secure, and is deprecated in newer versions.

      Unfortunately, HTTPCLIENT-1625 is very scant on details, and since the reason given for deprecation is the lack of time to fix it, it is likely not a trivial fix.

      Unfortunately, Avatica depends heavily on httpclient, and replacing it would it would be a big job.

      While Avatica in theory has a configurable Http Client implementation, the only non-httpclient implementation is more of a POC, and does not support ANY authentication methods.

      I can see these options:

      1. Find an another http client library, and use it in Avatica
      2. Copy the SPENGO auth code from httpclient, and fix it in Avatica
      3. Fix the SPENGO auth code in httpclient.
      4. Re-Implement SPENGO auth in Avatica (Hadoop does something like that, though I'm, not sure how good that is)

      Attachments

        Issue Links

          Activity

            People

              stoty Istvan Toth
              stoty Istvan Toth
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: