aurora-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Maxim Khutornenko" <ma...@apache.org>
Subject Re: Review Request 32541: Adding client Kerberos support.
Date Thu, 02 Apr 2015 01:25:30 GMT


> On April 1, 2015, 8:40 p.m., Kevin Sweeney wrote:
> > src/main/python/apache/aurora/common/auth/auth_kerberos.py, line 33
> > <https://reviews.apache.org/r/32541/diff/2/?file=909513#file909513line33>
> >
> >     An explanatory comment as to why we don't enable mutual authentication would
be nice here, for example:
> >     
> >     ```
> >     """
> >     While SPNEGO supports mutual authentication of the response, it does not assert
the validity of the response payload, only the identity of the server. Thus the scheduler
will not set the WWW-Authenticate response header and the client will disable mutual authentication.
In order to achieve communication with the scheduler subject to confidentiality and integrity
constraints the client must connect to the scheduler API via HTTPS. Kerberos is thus only
used to authenticate the client to the server.
> >     """
> >     ```

Thanks, done.


> On April 1, 2015, 8:40 p.m., Kevin Sweeney wrote:
> > src/main/python/apache/aurora/common/auth/auth_module_manager.py, line 66
> > <https://reviews.apache.org/r/32541/diff/2/?file=909515#file909515line66>
> >
> >     Transport layer suggests TCP to me - consider clarifying with "Thrift transport
layer"

Done.


> On April 1, 2015, 8:40 p.m., Kevin Sweeney wrote:
> > src/test/python/apache/aurora/client/api/test_scheduler_client.py, line 491
> > <https://reviews.apache.org/r/32541/diff/2/?file=909516#file909516line491>
> >
> >     consider using a mock instance of AuthBase here and elsewhere in this file -
future readers might be confused as this is not a legal input type

Done.


- Maxim


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/32541/#review78573
-----------------------------------------------------------


On April 2, 2015, 1:10 a.m., Maxim Khutornenko wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/32541/
> -----------------------------------------------------------
> 
> (Updated April 2, 2015, 1:10 a.m.)
> 
> 
> Review request for Aurora, Kevin Sweeney and Brian Wickman.
> 
> 
> Bugs: AURORA-813
>     https://issues.apache.org/jira/browse/AURORA-813
> 
> 
> Repository: aurora
> 
> 
> Description
> -------
> 
> First take on client kerberos support. The idea is to repurpose the existing auth_module
system to support both legacy and kerberos during the deprecation period. This way the 0.8.0
client will be able to talk to pre-0.8.0 scheduler and use SessionKey-based authorization.
Later (in 0.9.0), the payload() will be removed along with SessionKey (AURORA-1229). That
will let us get rid of SchedulerProxy (or reduce it substantially). The auth_module might
stay though to support other auth plugins (e.g. requests-ntlm or requests-oauthlib).
> 
> TODO: integration e2e tests once scheduler side lands.
> 
> 
> Diffs
> -----
> 
>   3rdparty/python/requirements.txt 11a307cdb476ebcc25ab5c6b555bed29241ea988 
>   src/main/python/apache/aurora/client/api/__init__.py a81329f6f947bbea4001c3a521c1923410a51eab

>   src/main/python/apache/aurora/client/api/scheduler_client.py 95e553427492407743dcac31d70f392a7c1bbc02

>   src/main/python/apache/aurora/client/cli/BUILD c6b4e8a09d1315cf5defee2155a6e0c697892a30

>   src/main/python/apache/aurora/client/cli/client.py 24516d114db1743cdf600c542a27fcf5b68053a0

>   src/main/python/apache/aurora/common/auth/BUILD 966484627dab90e7606f1fc638cd0e159aee3317

>   src/main/python/apache/aurora/common/auth/__init__.py 3119fd63d3dfa28f93f219b23030059580fed098

>   src/main/python/apache/aurora/common/auth/auth_module.py 5f4116ef4cfbc407e0c50dc938870fb14e2299b4

>   src/main/python/apache/aurora/common/auth/auth_module_manager.py 73a8e5cd51edf694b971cd2c298ff406aff8c6d7

>   src/main/python/apache/aurora/common/auth/kerberos.py PRE-CREATION 
>   src/main/python/apache/aurora/common/transport.py 395f8a94d9a27aad00166a17f2528a8c0833ffdd

>   src/test/python/apache/aurora/client/api/test_scheduler_client.py 0a6194831c332a96eab62b869c4e05cfa9def058

>   src/test/python/apache/aurora/common/test_transport.py b78e0b3badfbbeecefff7b5954f3796cef4da9d8

> 
> Diff: https://reviews.apache.org/r/32541/diff/
> 
> 
> Testing
> -------
> 
> ./pants test.pytest --no-fast src/test/python:all
> ./src/test/sh/org/apache/aurora/e2e/test_end_to_end.sh
> 
> 
> Thanks,
> 
> Maxim Khutornenko
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message