accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-1929) Current auth/auth/perm API doesn't well support multiple authentication domains
Date Wed, 27 Nov 2013 01:48:36 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-1929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13833331#comment-13833331
] 

Christopher Tubbs commented on ACCUMULO-1929:
---------------------------------------------

This issue would be addressed by my anticipated implementation of ACCUMULO-1300... but if
you'd feel more comfortable leaving it open and "related" rather than closed and marked as
a duplicate, that works for me.

I'm opposed to implementing in 1.6.0, because we've already addressed the feature set for
1.6.0, and this isn't a bugfix.

> Current auth/auth/perm API doesn't well support multiple authentication domains
> -------------------------------------------------------------------------------
>
>                 Key: ACCUMULO-1929
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1929
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Michael Allen
>            Assignee: Christopher Tubbs
>
> The current {{Authenticator}} / {{Authorizor}} / {{PermissionHandler}} API doesn't provide
a good method to support multiple authentication domains.  
> While the {{Authenticator}} object accepts abstract {{AuthenticationToken}} objects which
can be used to point a request towards a particular domain (by including domain-specific knowledge
in the token subclass), the {{Authorizor}} and {{PermissionHandler}} objects share no such
abstract class.  A call like {{Authorizor.getCachedUserAuthorization(String user)}} can't
tell if the user in question is the user for domain 1, 2, 3, and so on, without having the
rest of the system play some crazy tricks to encode that string in some unnatural way.
> One simple-ish solution is pass the {{AuthenticationToken}} object on to more than one
call in the  {{Authenticator}} / {{Authorizor}} / {{PermissionHandler}} system.  That way,
its domain knowledge can travel through to the other parts and be used to route requests accordingly.
 



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Mime
View raw message