aurora-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Farner <wfar...@apache.org>
Subject Re: Authentication for aurora scheduler webui
Date Thu, 14 Aug 2014 18:20:08 GMT
Disclaimer: I am far from an expert in security.

As for mechanics of where auth code should live, a new HTTP filter sounds
like the best approach.

Since the scheduler already does authentication for the API, ideally the
mechanics of the two will be the same.  This might mean that the
authentication you propose actually obviates the existing authentication.
 However, i would like to avoid forcing the use of an *external* SSO
server.  For example, if we proceed with kerberos integration, the browser
might use SPNEGO to authenticat.  Point being that the interfaces we define
should be generic enough to support that approach as well.


-=Bill


On Wed, Aug 13, 2014 at 1:35 PM, Bhuvan Arumugam <bhuvan@apache.org> wrote:

> Hello,
>
> This is similar to this thread [1], but for aurora scheduler. We are
> implementing cookie based authentication for aurora scheduler (port:
> 8080). It is a single sign-on implementation. The unauthenticated
> users will be redirected to a login service. After user is
> successfully authenticated in the login service, a cookie will be
> added in this domain. The cookie is validated against the login
> service, before the page is rendered.
>
> I wish to get input on the design we are planning to implement, for
> aurora scheduler. Ideally, we want to grant access to aurora scheduler
> only for authenticated users.
>
> The requests are processed using jetty server and servlet container.
> Precisely, they are processed using
> org.apache.aurora.scheduler.http.JettyServerModule. The http handle
> for every request are accessible from here. Most of requests, if not
> all, are served by filter based handlers,
> org.apache.aurora.scheduler.http.CorsFilter is one among many. The
> doFilter() method is overridden in these filters.
>
> To implement authentication, we'll fix the filters to deal with login
> rediect, r/w cookie & validate the session. The filter would check for
> the cookie. If auth cookie is not present, user will be redirected to
> the auth service. If auth cookie is present, it'll be validated and
> http filter will be processed.
>
> The authentication hooks could be added in following filters:
>
>   1. org.apache.aurora.scheduler.http.CorsFilter
>   2. org.apache.aurora.scheduler.http.LeaderRedirectFilter
>   3. org.apache.aurora.scheduler.http.AbstractFilter
>
> Is there a better approach to implement authentication in aurora scheduler?
>
> [1]
> http://mail-archives.apache.org/mod_mbox/incubator-aurora-dev/201408.mbox/%3CCAK0Yc077KshTifyB43X4%2BTp4OW15qrV3J4jpLR4v36v5yw181Q
>
> Thank you,
> --
> Regards,
> Bhuvan Arumugam
> www.livecipher.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message