Allow authentication over HTTP

[koszti]

Description

The Trino Python client currently rejects all authentication attempts over HTTP. While this seems like is a sensible security measure on the part of the Trino client, using an HTTP URL to access the Trino server does not inherently indicate an insecure environment.

This could be useful for testing purposes or in modern service meshes, such as those using SPIFFE authentication where injection of the spiffe headers and adding TLS are handled by spire and envoy separately in sidecars. Furthermore the trino server also has the option of http-server.authentication.allow-insecure-over-http=true (doc here) so it might be reasonable to not rejecting non-https authentication attempts in the client side.

This pull request includes the following improvements:

• The SQLAlchemy dialect no longer automatically sets http_scheme to https when authentication is detected in the connection URL.
• Authentication over HTTP is now allowed.
• To authenticate over HTTP using SQLAlchemy, the http_scheme="http" connection argument is now respected. If http_scheme is not specified, the scheme defaults to https when the port is 443; otherwise, it defaults to http.

Example auth over HTTP:

- DBAPI

    ```python
    from trino.dbapi import connect
    from trino.auth import BasicAuthentication

    conn = connect(
        user="<username>",
        auth=BasicAuthentication("<username>", "<password>"),
        http_scheme="http",
        ...
    )
    ```

- SQLAlchemy

    ```python
    from sqlalchemy import create_engine

    # defaults to use http if the port is not 443
    engine = create_engine("trino://<username>:<password>@<host>:<port>/<catalog>")

    # or as connect_args
    from trino.auth import BasicAuthentication
    engine = create_engine(
        "trino://<username>@<host>:<port>/<catalog>",
        connect_args={
            "auth": BasicAuthentication("<username>", "<password>"),
            "http_scheme": "http",
        }
    )
    ```

Non-technical explanation

This PR adds functionality to optionally authenticate over HTTP.

Release notes

( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:

* Allow authentication over HTTP ({issue}`530`)

[hashhar]

I think we should simply remove the check.

After all the server does reject auth over HTTP unless:

• insecure over HTTP is allowed via config
• OR the connection was forwarded from a LB that terminates TLS (signalled via X-Forwarded-Proto header in the request)

What does the JDBC driver do right now?

[koszti]

I think we should simply remove the check.

@hashhar , this needs to be tested, but removing it without introducing a new flag could lead to breaking changes. The SQLAlchemy dialect automatically sets http_scheme="https" for all authentication types (here), so we’d also need to remove that along with the actual check (here).

Would this mean that clients not explicitly specifying http_scheme would end up using an unknown protocol?

[hashhar]

I'm saying to only remove these two lines

trino-python-client/trino/client.py

Lines 492 to 493 in 1e95bbf

	if self._http_scheme == constants.HTTP:
	raise ValueError("cannot use authentication with HTTP")

It's server's job to disallow or allow whatever combination it wants.

The http_scheme should still remain obviously.

[koszti]

removing those two lines only doesn’t help unfortunately because the http_sceme is set to https automatically for all auth types. Client actually has no chance to overwrite it by passing http sceme in connect_args and they end up with https only whatever they do.

[hashhar]

I think the SQLAlchemy dialect code is being too smart for no reason. It should not be automatically setting http_scheme in any case. Same as how the db-api doesn't do it. We can remove the code from there too.

The DB-API code (client.py TrinoRequest.__init__) will already anyway determine correct http_scheme from the URI itself. The only case when user needs to pass http_scheme explicitly will be for a bare URI which I don't think is common at all.

[koszti]

@hashhar I've updated the PR as per your recommendations. The SQLAlchemy dialect no longer sets the http_scheme automatically, and the client now accepts authentication over HTTP. No new arguments have been introduced. I've added more details to the PR description, including connection examples. Additionally, I've updated the tests and verified functionality with other Trino instances. What do you think?