Support Thrift over HTTP for HMS #559
Description
Support Thrift over HTTP
Description
Some customers struggle to expose plain TCP to the outside of k8s world.
Also Kerberos is pain in the ***, and there is currently no other auth mechanism for HMS.
We should support Thrift over HTTP to solve both problems.
- HTTP can easily be exposed (such as all other HTTP services, e.g. via an Ingress)
- Users can put a basic auth / oAuth proxy / ... in front of the HTTP service
Value
Users can expose and secure stuff without Kerberos
Dependencies
None
Tasks
Acceptance Criteria
- HTTP disabled by default
- HTTP can be turned on while turning TCP off
- HTTP and TCP can be turned on at the same time (seems to be supported starting with 4.0.0 https://issues.apache.org/jira/browse/HIVE-5312)
(Information Security) Risk Assessment
This gives the option to switch from a (IMHO hard to protect - Kerberos) TCP protocol to the HTTP protocol.
This probably means Kerberos will stop working, but users can put some sort of LoadBalancer/Proxy in front to do the authentication instead of messing with Kerberos.
Accessibility Assessment
None
Quality
Tests with Spark and Trino
Release Notes
Support HTTP thrift transport mode for Hive metastore