Allow authentication over HTTP

koszti · koszti · commit 731a0ccf2ab9 · 2025-02-06T09:11:30.000Z
diff --git a/README.md b/README.md
@@ -365,6 +365,41 @@ It follows the interface for `KerberosAuthentication`, but is using
     )
     ```
 
+
+### Insecure authentication
+
+All authentication methods require secure HTTPS channel to the Trino cluster. Although not recommended, you can enable authentication over insecure HTTP channel by using `insecure` connection argument.
+
+- DBAPI
+
+    ```python
+    from trino.dbapi import connect
+    ...
+
+    conn = connect(
+        auth=...,
+        insecure=True,
+        ...
+    )
+    ```
+
+- SQLAlchemy
+
+    ```python
+    from sqlalchemy import create_engine
+
+    engine = create_engine("trino://<username>:<password>@<host>:<port>/<catalog>/?insecure=true")
+
+    # or as connect_args
+    engine = create_engine(
+        "trino://<username>@<host>:<port>/<catalog>",
+        connect_args={
+            "auth"=...,
+            "insecure": True,
+        }
+    )
+    ```
+
 ## User impersonation
 
 In the case where user who submits the query is not the same as user who authenticates to Trino server (e.g in Superset),
diff --git a/tests/unit/sqlalchemy/test_dialect.py b/tests/unit/sqlalchemy/test_dialect.py
@@ -58,7 +58,6 @@ def setup_method(self):
                     catalog="system",
                     user="user",
                     auth=BasicAuthentication("user", "pass"),
-                    http_scheme="https",
                     source="trino-rulez"
                 ),
             ),
@@ -80,7 +79,6 @@ def setup_method(self):
                     catalog="system",
                     user="user",
                     auth=CertificateAuthentication("/my/path/to/cert", "afdlsdfk%4#'"),
-                    http_scheme="https",
                     source="trino-sqlalchemy"
                 ),
             ),
@@ -100,7 +98,6 @@ def setup_method(self):
                     catalog="system",
                     user="user",
                     auth=JWTAuthentication("afdlsdfk%4#'"),
-                    http_scheme="https",
                     source="trino-sqlalchemy"
                 ),
             ),
@@ -168,7 +165,6 @@ def setup_method(self):
                     catalog="system",
                     user="user@test.org/my_role",
                     auth=BasicAuthentication("user@test.org/my_role", "pass /*&"),
-                    http_scheme="https",
                     source="trino-sqlalchemy",
                     session_properties={"query_max_run_time": "1d"},
                     http_headers={"trino": 1},
@@ -270,7 +266,6 @@ def test_trino_connection_basic_auth():
     url = make_url(f'trino://{username}:{password}@host')
     _, cparams = dialect.create_connect_args(url)
 
-    assert cparams['http_scheme'] == "https"
     assert isinstance(cparams['auth'], BasicAuthentication)
     assert cparams['auth']._username == username
     assert cparams['auth']._password == password
@@ -282,7 +277,6 @@ def test_trino_connection_jwt_auth():
     url = make_url(f'trino://host/?access_token={access_token}')
     _, cparams = dialect.create_connect_args(url)
 
-    assert cparams['http_scheme'] == "https"
     assert isinstance(cparams['auth'], JWTAuthentication)
     assert cparams['auth'].token == access_token
 
@@ -294,7 +288,6 @@ def test_trino_connection_certificate_auth():
     url = make_url(f'trino://host/?cert={cert}&key={key}')
     _, cparams = dialect.create_connect_args(url)
 
-    assert cparams['http_scheme'] == "https"
     assert isinstance(cparams['auth'], CertificateAuthentication)
     assert cparams['auth']._cert == cert
     assert cparams['auth']._key == key
@@ -307,13 +300,11 @@ def test_trino_connection_certificate_auth_cert_and_key_required():
     url = make_url(f'trino://host/?cert={cert}')
     _, cparams = dialect.create_connect_args(url)
 
-    assert 'http_scheme' not in cparams
     assert 'auth' not in cparams
 
     url = make_url(f'trino://host/?key={key}')
     _, cparams = dialect.create_connect_args(url)
 
-    assert 'http_scheme' not in cparams
     assert 'auth' not in cparams
 
 
@@ -322,5 +313,4 @@ def test_trino_connection_oauth2_auth():
     url = make_url('trino://host/?externalAuthentication=true')
     _, cparams = dialect.create_connect_args(url)
 
-    assert cparams['http_scheme'] == "https"
     assert isinstance(cparams['auth'], OAuth2Authentication)
diff --git a/trino/client.py b/trino/client.py
@@ -489,8 +489,6 @@ def __init__(
         self._exceptions = self.HTTP_EXCEPTIONS
         self._auth = auth
         if self._auth:
-            if self._http_scheme == constants.HTTP:
-                raise ValueError("cannot use authentication with HTTP")
             self._auth.set_http_session(self._http_session)
             self._exceptions += self._auth.get_exceptions()
 
diff --git a/trino/sqlalchemy/dialect.py b/trino/sqlalchemy/dialect.py
@@ -133,19 +133,15 @@ def create_connect_args(self, url: URL) -> Tuple[Sequence[Any], Mapping[str, Any
         if url.password:
             if not url.username:
                 raise ValueError("Username is required when specify password in connection URL")
-            kwargs["http_scheme"] = "https"
             kwargs["auth"] = BasicAuthentication(unquote_plus(url.username), unquote_plus(url.password))
 
         if "access_token" in url.query:
-            kwargs["http_scheme"] = "https"
             kwargs["auth"] = JWTAuthentication(unquote_plus(url.query["access_token"]))
 
         if "cert" in url.query and "key" in url.query:
-            kwargs["http_scheme"] = "https"
             kwargs["auth"] = CertificateAuthentication(unquote_plus(url.query['cert']), unquote_plus(url.query['key']))
 
         if "externalAuthentication" in url.query:
-            kwargs["http_scheme"] = "https"
             kwargs["auth"] = OAuth2Authentication()
 
         if "source" in url.query:
