I think instead of the change as proposed it would be cleaner and more flexible to introduce a plug point in the query server for authentication. Then there could be reusable plugins for extracting the common SSO tokens (like JWT or SAML) and validating them against the common identity providers like LDAP or AD. The plugins would get their configuration particulars out of the site file. Users could implement additional plugins for extracting username and passwords sent along in an X-header or whatever custom thing they are up to. For plugin implementation guidance, you might want to look at how other Apache projects that deal with these concerns do it, like Knox.
We actually did implement something rudimentary in test by simply adding a constructor for the getConnection() method that accepted a username and password as the argument. This was passed to an InitialDirContext instance that connected to Active Directory. If this did not throw an exception, then we know the username and password is good and can then call the "normal" getConnection() method.
If there is interest, we can clean up/refactor where needed, add properties configurable in the hbase config for:
* the authentication method chosen (phoenix.authentication.ldap as a boolean)
* the location of the LDAP server, whichever is in use (phoenix.ldap.url)
Let me know if this sounds workable and we will do what is listed above.