Return-Path: X-Original-To: apmail-aurora-reviews-archive@minotaur.apache.org Delivered-To: apmail-aurora-reviews-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AB57A172E0 for ; Thu, 2 Apr 2015 01:25:32 +0000 (UTC) Received: (qmail 36698 invoked by uid 500); 2 Apr 2015 01:25:32 -0000 Delivered-To: apmail-aurora-reviews-archive@aurora.apache.org Received: (qmail 36647 invoked by uid 500); 2 Apr 2015 01:25:32 -0000 Mailing-List: contact reviews-help@aurora.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: reviews@aurora.apache.org Delivered-To: mailing list reviews@aurora.apache.org Received: (qmail 36618 invoked by uid 99); 2 Apr 2015 01:25:32 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Apr 2015 01:25:32 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id 97E661D703F; Thu, 2 Apr 2015 01:25:30 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============7749532300825028127==" MIME-Version: 1.0 Subject: Re: Review Request 32541: Adding client Kerberos support. From: "Maxim Khutornenko" To: "Brian Wickman" , "Kevin Sweeney" Cc: "Aurora" , "Maxim Khutornenko" Date: Thu, 02 Apr 2015 01:25:30 -0000 Message-ID: <20150402012530.16792.38484@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: "Maxim Khutornenko" X-ReviewGroup: Aurora X-ReviewRequest-URL: https://reviews.apache.org/r/32541/ X-Sender: "Maxim Khutornenko" References: <20150401204047.16791.90928@reviews.apache.org> In-Reply-To: <20150401204047.16791.90928@reviews.apache.org> Reply-To: "Maxim Khutornenko" X-ReviewRequest-Repository: aurora --===============7749532300825028127== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > On April 1, 2015, 8:40 p.m., Kevin Sweeney wrote: > > src/main/python/apache/aurora/common/auth/auth_kerberos.py, line 33 > > > > > > An explanatory comment as to why we don't enable mutual authentication would be nice here, for example: > > > > ``` > > """ > > While SPNEGO supports mutual authentication of the response, it does not assert the validity of the response payload, only the identity of the server. Thus the scheduler will not set the WWW-Authenticate response header and the client will disable mutual authentication. In order to achieve communication with the scheduler subject to confidentiality and integrity constraints the client must connect to the scheduler API via HTTPS. Kerberos is thus only used to authenticate the client to the server. > > """ > > ``` Thanks, done. > On April 1, 2015, 8:40 p.m., Kevin Sweeney wrote: > > src/main/python/apache/aurora/common/auth/auth_module_manager.py, line 66 > > > > > > Transport layer suggests TCP to me - consider clarifying with "Thrift transport layer" Done. > On April 1, 2015, 8:40 p.m., Kevin Sweeney wrote: > > src/test/python/apache/aurora/client/api/test_scheduler_client.py, line 491 > > > > > > consider using a mock instance of AuthBase here and elsewhere in this file - future readers might be confused as this is not a legal input type Done. - Maxim ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/32541/#review78573 ----------------------------------------------------------- On April 2, 2015, 1:10 a.m., Maxim Khutornenko wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/32541/ > ----------------------------------------------------------- > > (Updated April 2, 2015, 1:10 a.m.) > > > Review request for Aurora, Kevin Sweeney and Brian Wickman. > > > Bugs: AURORA-813 > https://issues.apache.org/jira/browse/AURORA-813 > > > Repository: aurora > > > Description > ------- > > First take on client kerberos support. The idea is to repurpose the existing auth_module system to support both legacy and kerberos during the deprecation period. This way the 0.8.0 client will be able to talk to pre-0.8.0 scheduler and use SessionKey-based authorization. Later (in 0.9.0), the payload() will be removed along with SessionKey (AURORA-1229). That will let us get rid of SchedulerProxy (or reduce it substantially). The auth_module might stay though to support other auth plugins (e.g. requests-ntlm or requests-oauthlib). > > TODO: integration e2e tests once scheduler side lands. > > > Diffs > ----- > > 3rdparty/python/requirements.txt 11a307cdb476ebcc25ab5c6b555bed29241ea988 > src/main/python/apache/aurora/client/api/__init__.py a81329f6f947bbea4001c3a521c1923410a51eab > src/main/python/apache/aurora/client/api/scheduler_client.py 95e553427492407743dcac31d70f392a7c1bbc02 > src/main/python/apache/aurora/client/cli/BUILD c6b4e8a09d1315cf5defee2155a6e0c697892a30 > src/main/python/apache/aurora/client/cli/client.py 24516d114db1743cdf600c542a27fcf5b68053a0 > src/main/python/apache/aurora/common/auth/BUILD 966484627dab90e7606f1fc638cd0e159aee3317 > src/main/python/apache/aurora/common/auth/__init__.py 3119fd63d3dfa28f93f219b23030059580fed098 > src/main/python/apache/aurora/common/auth/auth_module.py 5f4116ef4cfbc407e0c50dc938870fb14e2299b4 > src/main/python/apache/aurora/common/auth/auth_module_manager.py 73a8e5cd51edf694b971cd2c298ff406aff8c6d7 > src/main/python/apache/aurora/common/auth/kerberos.py PRE-CREATION > src/main/python/apache/aurora/common/transport.py 395f8a94d9a27aad00166a17f2528a8c0833ffdd > src/test/python/apache/aurora/client/api/test_scheduler_client.py 0a6194831c332a96eab62b869c4e05cfa9def058 > src/test/python/apache/aurora/common/test_transport.py b78e0b3badfbbeecefff7b5954f3796cef4da9d8 > > Diff: https://reviews.apache.org/r/32541/diff/ > > > Testing > ------- > > ./pants test.pytest --no-fast src/test/python:all > ./src/test/sh/org/apache/aurora/e2e/test_end_to_end.sh > > > Thanks, > > Maxim Khutornenko > > --===============7749532300825028127==--