accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Vines (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-1929) Current auth/auth/perm API doesn't well support multiple authentication domains
Date Tue, 26 Nov 2013 21:39:38 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-1929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13833102#comment-13833102
] 

John Vines commented on ACCUMULO-1929:
--------------------------------------

I don't see how this is a subclass of that. Accumulo-1300 deals with multiple authentication
systems, which could be handled with a single multi-authenticator that fits into the currently
pluggable scheme. This ticket is requesting additional token information bet passed to the
authorizor and permission handler interfaces, which is a significant limitation on those interfaces
which makes me wonder if that's something we want to address in 1.6.0.

> Current auth/auth/perm API doesn't well support multiple authentication domains
> -------------------------------------------------------------------------------
>
>                 Key: ACCUMULO-1929
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1929
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Michael Allen
>            Assignee: Christopher Tubbs
>
> The current {{Authenticator}} / {{Authorizor}} / {{PermissionHandler}} API doesn't provide
a good method to support multiple authentication domains.  
> While the {{Authenticator}} object accepts abstract {{AuthenticationToken}} objects which
can be used to point a request towards a particular domain (by including domain-specific knowledge
in the token subclass), the {{Authorizor}} and {{PermissionHandler}} objects share no such
abstract class.  A call like {{Authorizor.getCachedUserAuthorization(String user)}} can't
tell if the user in question is the user for domain 1, 2, 3, and so on, without having the
rest of the system play some crazy tricks to encode that string in some unnatural way.
> One simple-ish solution is pass the {{AuthenticationToken}} object on to more than one
call in the  {{Authenticator}} / {{Authorizor}} / {{PermissionHandler}} system.  That way,
its domain knowledge can travel through to the other parts and be used to route requests accordingly.
 



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message