Return-Path: X-Original-To: apmail-aurora-dev-archive@minotaur.apache.org Delivered-To: apmail-aurora-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B795C11F10 for ; Thu, 14 Aug 2014 20:09:09 +0000 (UTC) Received: (qmail 60935 invoked by uid 500); 14 Aug 2014 20:09:09 -0000 Delivered-To: apmail-aurora-dev-archive@aurora.apache.org Received: (qmail 60888 invoked by uid 500); 14 Aug 2014 20:09:09 -0000 Mailing-List: contact dev-help@aurora.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@aurora.incubator.apache.org Delivered-To: mailing list dev@aurora.incubator.apache.org Received: (qmail 60877 invoked by uid 99); 14 Aug 2014 20:09:09 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Aug 2014 20:09:09 +0000 X-ASF-Spam-Status: No, hits=-2000.7 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO mail.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 14 Aug 2014 20:09:07 +0000 Received: (qmail 51782 invoked by uid 99); 14 Aug 2014 20:08:38 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Aug 2014 20:08:38 +0000 Received: from localhost (HELO mail-vc0-f179.google.com) (127.0.0.1) (smtp-auth username bhuvan, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Thu, 14 Aug 2014 20:08:37 +0000 Received: by mail-vc0-f179.google.com with SMTP id hq11so1987350vcb.24 for ; Thu, 14 Aug 2014 13:08:36 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.52.164.199 with SMTP id ys7mr986010vdb.42.1408046916621; Thu, 14 Aug 2014 13:08:36 -0700 (PDT) Received: by 10.220.39.138 with HTTP; Thu, 14 Aug 2014 13:08:36 -0700 (PDT) In-Reply-To: References: Date: Thu, 14 Aug 2014 13:08:36 -0700 Message-ID: Subject: Re: Authentication for aurora scheduler webui From: Bhuvan Arumugam To: dev@aurora.incubator.apache.org Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org On Thu, Aug 14, 2014 at 11:20 AM, Bill Farner wrote: > Disclaimer: I am far from an expert in security. > > As for mechanics of where auth code should live, a new HTTP filter sounds > like the best approach. > > Since the scheduler already does authentication for the API, ideally the > mechanics of the two will be the same. This might mean that the > authentication you propose actually obviates the existing authentication. > However, i would like to avoid forcing the use of an *external* SSO > server. For example, if we proceed with kerberos integration, the browser > might use SPNEGO to authenticat. Point being that the interfaces we define > should be generic enough to support that approach as well. We are using SPNEGO based auth for aurora clients, using kerberos. It is implemented as a separate filter. The web based authentication is performed using cookies, for the same kerberos server. Originally, I thought SPNEGO is supported only in Safari. Looks like browsers like Firefox, Chrome also support SPNEGO. I'll investigate if it's feasible to implement web based authentication using SPNEGO, instead of using cookies with our authentication system. If it's true, we'll leverage the auth filter we already use for authenticating cli client. Thank you, Bill! > -=Bill > > > On Wed, Aug 13, 2014 at 1:35 PM, Bhuvan Arumugam wrote: > >> Hello, >> >> This is similar to this thread [1], but for aurora scheduler. We are >> implementing cookie based authentication for aurora scheduler (port: >> 8080). It is a single sign-on implementation. The unauthenticated >> users will be redirected to a login service. After user is >> successfully authenticated in the login service, a cookie will be >> added in this domain. The cookie is validated against the login >> service, before the page is rendered. >> >> I wish to get input on the design we are planning to implement, for >> aurora scheduler. Ideally, we want to grant access to aurora scheduler >> only for authenticated users. >> >> The requests are processed using jetty server and servlet container. >> Precisely, they are processed using >> org.apache.aurora.scheduler.http.JettyServerModule. The http handle >> for every request are accessible from here. Most of requests, if not >> all, are served by filter based handlers, >> org.apache.aurora.scheduler.http.CorsFilter is one among many. The >> doFilter() method is overridden in these filters. >> >> To implement authentication, we'll fix the filters to deal with login >> rediect, r/w cookie & validate the session. The filter would check for >> the cookie. If auth cookie is not present, user will be redirected to >> the auth service. If auth cookie is present, it'll be validated and >> http filter will be processed. >> >> The authentication hooks could be added in following filters: >> >> 1. org.apache.aurora.scheduler.http.CorsFilter >> 2. org.apache.aurora.scheduler.http.LeaderRedirectFilter >> 3. org.apache.aurora.scheduler.http.AbstractFilter >> >> Is there a better approach to implement authentication in aurora scheduler? >> >> [1] >> http://mail-archives.apache.org/mod_mbox/incubator-aurora-dev/201408.mbox/%3CCAK0Yc077KshTifyB43X4%2BTp4OW15qrV3J4jpLR4v36v5yw181Q >> >> Thank you, >> -- >> Regards, >> Bhuvan Arumugam >> www.livecipher.com >> -- Regards, Bhuvan Arumugam www.livecipher.com