fix: pass through user-provided password in HiveServer2Hook for all auth modes#62888
Merged
Conversation
Contributor
|
wasn't this already fixed by #62364 ? |
Contributor
Author
|
Thanks for flagging! #62364 only added |
YoannAbriel
force-pushed
the
fix/issue-62338
branch
3 times, most recently
from
March 5, 2026 17:06
825a959 to
bf6c41f
Compare
…s of auth mechanism Previously, HiveServer2Hook.get_conn() only set the password when auth_mechanism was LDAP, CUSTOM, or PLAIN. For all other auth modes (including the default NONE), user-provided passwords were silently dropped and pyhive would default to sending 'x' as the password. Now the password is passed through whenever the user has explicitly set one in the connection, regardless of the configured auth mechanism. Fixes apache#62338
YoannAbriel
force-pushed
the
fix/issue-62338
branch
from
March 5, 2026 19:03
bf6c41f to
1ff6801
Compare
potiuk
approved these changes
Mar 10, 2026
dominikhei
pushed a commit
to dominikhei/airflow
that referenced
this pull request
Mar 11, 2026
…uth modes (apache#62888) * fix: pass through user-provided password in HiveServer2Hook regardless of auth mechanism Previously, HiveServer2Hook.get_conn() only set the password when auth_mechanism was LDAP, CUSTOM, or PLAIN. For all other auth modes (including the default NONE), user-provided passwords were silently dropped and pyhive would default to sending 'x' as the password. Now the password is passed through whenever the user has explicitly set one in the connection, regardless of the configured auth mechanism. Fixes apache#62338 * ci: retrigger CI
Pyasma
pushed a commit
to Pyasma/airflow
that referenced
this pull request
Mar 13, 2026
…uth modes (apache#62888) * fix: pass through user-provided password in HiveServer2Hook regardless of auth mechanism Previously, HiveServer2Hook.get_conn() only set the password when auth_mechanism was LDAP, CUSTOM, or PLAIN. For all other auth modes (including the default NONE), user-provided passwords were silently dropped and pyhive would default to sending 'x' as the password. Now the password is passed through whenever the user has explicitly set one in the connection, regardless of the configured auth mechanism. Fixes apache#62338 * ci: retrigger CI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
HiveServer2Hook.get_conn()silently drops user-provided passwords whenauth_mechanismis anything other thanLDAP,CUSTOM, orPLAIN. Whenauth_mechanismdefaults toNONE(the most common case), the password is never passed topyhive.hive.connect(), which then defaults to sending"x"as the password on the wire. Users see their configured password ignored regardless of what they set in the connection form.Root Cause
The password assignment in
get_conn()was gated behindif auth_mechanism in ("LDAP", "CUSTOM", "PLAIN"). For any other auth mode,passwordstayedNoneeven whendb.passwordwas explicitly set by the user.Fix
Changed the condition to
if db.password:so the user-provided password is always passed through to pyhive when set, regardless of the auth mechanism. Added a test verifying password pass-through with the defaultNONEauth mechanism.Closes: #62338
Was generative AI tooling used to co-author this PR?
Generated-by: Claude Code following the guidelines
{pr_number}.significant.rstor{issue_number}.significant.rst, in airflow-core/newsfragments.