If you look at hiveserver2 implementation over at
HIVE-2935, it has an implementation of Plain sasl server. Plain server means sasl server doesn't use kerberos (or any authentication mechanism) for authenticating thrift client and at the same time client transfers end user identity to server. Server just trusts client, since its unsecure mode anyways. This Sasl server is used for thrift client and server transport in HiveServer2. That is much more cleaner approach than the current implementation which is really hacky which does an rpc call to transfer ugi (introduced in HIVE-2616 ), instead of transferring it at connection setup time. Though, current hacky approach works, its a twisted design and harder to understand. If there is any interest in wider adoption of transferring ugi for unsecure connection between thrift client and server, we should use HS2 mechanism. Further, since HiveServer2 already uses that, we will have parity in transport layer between HS2 client-server transport and metastore client-server transport. That way we can reuse code between these two transports, instead of having two parallel implementations of same feature.