aurora-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bhuvan Arumugam <bhu...@apache.org>
Subject Re: Authentication for aurora scheduler webui
Date Thu, 14 Aug 2014 20:08:36 GMT
On Thu, Aug 14, 2014 at 11:20 AM, Bill Farner <wfarner@apache.org> wrote:
> Disclaimer: I am far from an expert in security.
>
> As for mechanics of where auth code should live, a new HTTP filter sounds
> like the best approach.
>
> Since the scheduler already does authentication for the API, ideally the
> mechanics of the two will be the same.  This might mean that the
> authentication you propose actually obviates the existing authentication.
>  However, i would like to avoid forcing the use of an *external* SSO
> server.  For example, if we proceed with kerberos integration, the browser
> might use SPNEGO to authenticat.  Point being that the interfaces we define
> should be generic enough to support that approach as well.

We are using SPNEGO based auth for aurora clients, using kerberos. It
is implemented as a separate filter. The web based authentication is
performed using cookies, for the same kerberos server. Originally, I
thought SPNEGO is supported only in Safari. Looks like browsers like
Firefox, Chrome also support SPNEGO. I'll investigate if it's feasible
to implement web based authentication using SPNEGO, instead of using
cookies with our authentication system. If it's true, we'll leverage
the auth filter we already use for authenticating cli client.

Thank you, Bill!

> -=Bill
>
>
> On Wed, Aug 13, 2014 at 1:35 PM, Bhuvan Arumugam <bhuvan@apache.org> wrote:
>
>> Hello,
>>
>> This is similar to this thread [1], but for aurora scheduler. We are
>> implementing cookie based authentication for aurora scheduler (port:
>> 8080). It is a single sign-on implementation. The unauthenticated
>> users will be redirected to a login service. After user is
>> successfully authenticated in the login service, a cookie will be
>> added in this domain. The cookie is validated against the login
>> service, before the page is rendered.
>>
>> I wish to get input on the design we are planning to implement, for
>> aurora scheduler. Ideally, we want to grant access to aurora scheduler
>> only for authenticated users.
>>
>> The requests are processed using jetty server and servlet container.
>> Precisely, they are processed using
>> org.apache.aurora.scheduler.http.JettyServerModule. The http handle
>> for every request are accessible from here. Most of requests, if not
>> all, are served by filter based handlers,
>> org.apache.aurora.scheduler.http.CorsFilter is one among many. The
>> doFilter() method is overridden in these filters.
>>
>> To implement authentication, we'll fix the filters to deal with login
>> rediect, r/w cookie & validate the session. The filter would check for
>> the cookie. If auth cookie is not present, user will be redirected to
>> the auth service. If auth cookie is present, it'll be validated and
>> http filter will be processed.
>>
>> The authentication hooks could be added in following filters:
>>
>>   1. org.apache.aurora.scheduler.http.CorsFilter
>>   2. org.apache.aurora.scheduler.http.LeaderRedirectFilter
>>   3. org.apache.aurora.scheduler.http.AbstractFilter
>>
>> Is there a better approach to implement authentication in aurora scheduler?
>>
>> [1]
>> http://mail-archives.apache.org/mod_mbox/incubator-aurora-dev/201408.mbox/%3CCAK0Yc077KshTifyB43X4%2BTp4OW15qrV3J4jpLR4v36v5yw181Q
>>
>> Thank you,
>> --
>> Regards,
>> Bhuvan Arumugam
>> www.livecipher.com
>>



-- 
Regards,
Bhuvan Arumugam
www.livecipher.com

Mime
View raw message