Skip to content

fix: pass through user-provided password in HiveServer2Hook for all auth modes#62888

Merged
potiuk merged 2 commits into
apache:mainfrom
YoannAbriel:fix/issue-62338
Mar 10, 2026
Merged

fix: pass through user-provided password in HiveServer2Hook for all auth modes#62888
potiuk merged 2 commits into
apache:mainfrom
YoannAbriel:fix/issue-62338

Conversation

@YoannAbriel

Copy link
Copy Markdown
Contributor

Problem

HiveServer2Hook.get_conn() silently drops user-provided passwords when auth_mechanism is anything other than LDAP, CUSTOM, or PLAIN. When auth_mechanism defaults to NONE (the most common case), the password is never passed to pyhive.hive.connect(), which then defaults to sending "x" as the password on the wire. Users see their configured password ignored regardless of what they set in the connection form.

Root Cause

The password assignment in get_conn() was gated behind if auth_mechanism in ("LDAP", "CUSTOM", "PLAIN"). For any other auth mode, password stayed None even when db.password was explicitly set by the user.

Fix

Changed the condition to if db.password: so the user-provided password is always passed through to pyhive when set, regardless of the auth mechanism. Added a test verifying password pass-through with the default NONE auth mechanism.

Closes: #62338


Was generative AI tooling used to co-author this PR?
  • Yes — Claude Code

Generated-by: Claude Code following the guidelines


  • Read the Pull Request Guidelines for more information. Note: commit author/co-author name and email in commits become permanently public when merged.
  • For fundamental code changes, an Airflow Improvement Proposal (AIP) is needed.
  • When adding dependency, check compliance with the ASF 3rd Party License Policy.
  • For significant user-facing changes create newsfragment: {pr_number}.significant.rst or {issue_number}.significant.rst, in airflow-core/newsfragments.

@eladkal

eladkal commented Mar 4, 2026

Copy link
Copy Markdown
Contributor

wasn't this already fixed by #62364 ?

@YoannAbriel

Copy link
Copy Markdown
Contributor Author

Thanks for flagging! #62364 only added PLAIN to the list of mechanisms that retrieve the password. This PR takes a different approach — it ensures the user-provided password is passed through for all auth modes (NOSASL, NONE, KERBEROS, LDAP, CUSTOM, etc.) instead of maintaining a growing allowlist. The fix in #62364 still leaves other mechanisms unable to use a configured password.

@eladkal
eladkal requested a review from jscheffl March 4, 2026 20:14
@YoannAbriel
YoannAbriel force-pushed the fix/issue-62338 branch 3 times, most recently from 825a959 to bf6c41f Compare March 5, 2026 17:06
…s of auth mechanism

Previously, HiveServer2Hook.get_conn() only set the password when
auth_mechanism was LDAP, CUSTOM, or PLAIN. For all other auth modes
(including the default NONE), user-provided passwords were silently
dropped and pyhive would default to sending 'x' as the password.

Now the password is passed through whenever the user has explicitly
set one in the connection, regardless of the configured auth mechanism.

Fixes apache#62338
@potiuk
potiuk merged commit 45248f5 into apache:main Mar 10, 2026
93 checks passed
@YoannAbriel
YoannAbriel deleted the fix/issue-62338 branch March 10, 2026 20:17
dominikhei pushed a commit to dominikhei/airflow that referenced this pull request Mar 11, 2026
…uth modes (apache#62888)

* fix: pass through user-provided password in HiveServer2Hook regardless of auth mechanism

Previously, HiveServer2Hook.get_conn() only set the password when
auth_mechanism was LDAP, CUSTOM, or PLAIN. For all other auth modes
(including the default NONE), user-provided passwords were silently
dropped and pyhive would default to sending 'x' as the password.

Now the password is passed through whenever the user has explicitly
set one in the connection, regardless of the configured auth mechanism.

Fixes apache#62338

* ci: retrigger CI
Pyasma pushed a commit to Pyasma/airflow that referenced this pull request Mar 13, 2026
…uth modes (apache#62888)

* fix: pass through user-provided password in HiveServer2Hook regardless of auth mechanism

Previously, HiveServer2Hook.get_conn() only set the password when
auth_mechanism was LDAP, CUSTOM, or PLAIN. For all other auth modes
(including the default NONE), user-provided passwords were silently
dropped and pyhive would default to sending 'x' as the password.

Now the password is passed through whenever the user has explicitly
set one in the connection, regardless of the configured auth mechanism.

Fixes apache#62338

* ci: retrigger CI
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

When creating a Hive Server 2 Thrift connection using airflow, the password does not take effect.

3 participants