aurora-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Giulio Eulisse <giulio.euli...@cern.ch>
Subject Re: Review Request 51893: Allow cookie based authentication
Date Sat, 15 Oct 2016 07:29:00 GMT


> On Oct. 6, 2016, 4:46 p.m., Stephan Erb wrote:
> > docs/operations/security.md, line 181
> > <https://reviews.apache.org/r/51893/diff/12/?file=1525261#file1525261line181>
> >
> >     Does this require modifications of the scheduler? How does it pick up the necessary
information in your implementation?
> 
> Giulio Eulisse wrote:
>     No modification to the scheduler is required. The frontend adds a few HTTP headers
for autheticated users which contain login and groups they belong to. The headers can eventually
be used by a Shiro plugin which extracts authentication information and applies authorization
rules. The frontend and the scheduler are on the same machine and only the frontend can talk
to the backend, hence we are guaranteed that the headers cannot be spoofed.
> 
> David McLaughlin wrote:
>     It's a little concerning to only add support to the client, it sends a false message
to anyone reading the code or documentation that we have first-class support for cookies.
It would be analogous to only adding Kerberos support to the client and assuming some Shiro
plugin handles the Kerberos logic in the Scheduler. 
>     
>     You can also achieve what you're doing here with a custom client plugin and an internal
build. This is what we do at Twitter for things that are specific to our deployment.
> 
> David McLaughlin wrote:
>     For some reason this conversation moved to e-mail. Giulio's response to my concern
was:
>     
>     > IMHO, this is analogous to having basic auth authentication, but restricting
access to the backend by having the frontend only allowing requests signed by certificates
emitted by a given CA. You would still be using Basic-Auth, however you’d need the right
certificate to be used by the client when doing a request.
>     
>     > This is exactly the same, just with a cookie in place of the certificate.
>     
>     > What would you consider "first class cookie support"?
>     
>     As a user I would expect the Scheduler to provide a CookieAuth module. The scheduler
would create a cookie and know how to extract the user from it when it's sent with the request.
> 
> Giulio Eulisse wrote:
>     Ok. I see what you mean. However what you propose would not solve my issue. As a
user I need to pass a cookie to be able to go through the frontend and reach the scheduler
in the first place. Basically what I am after is the ability to decorate client requests with
a cookie (and eventually a certificate) so that I can be authenticated by the frontend and
reach the scheduler. Notice that as a Aurora Scheduler operator I've no control on the frontend
which is managed at a different level by a completely different group within our organization.
Maybe I should rename the auth_method to "EXTERNAL_COOKIE" to be more explicit? Or maybe,
rather then using auth_method I should use a different configuration option (e.g. http_frontend_cookie)?
> 
> David McLaughlin wrote:
>     So, it really sounds like this is organizational specific logic and I think it belongs
in a custom build of the Aurora client. I'm not sure if we document how to do that anywhere?
But we do this at Twitter for a whole bunch of stuff. I can create a ticket to document this
somewhere if it doesn't exist.
> 
> Giulio Eulisse wrote:
>     Ok, I can do the custom build of the aurora client, a pointer to instructions is
indeed welcome, thank you in advance if you can find the time to document that. Right now
I simply copy aurora.pex and aurora_admin.pex to PATH.
>     
>     That said, I am surprised this kind of pattern (a frontend doing the authentication
a backend which gets the authenticated requests securely) is considered as "organizational
specific logic" rather than a reasonably common practice (at least in my personal experience).
> 
> David McLaughlin wrote:
>     I added a review for the documentation. 
>     
>     I still feel pretty strongly with what I said above, but if others feel like this
is harmless and the use-case of a proxy that handles cookie management is common enough, then
I'll withdraw my concern.

Thanks!

Ok, fair enough, I will look into your suggestion. If there is anything I can do to make this
review look more attractive, I am happy to amend it.


- Giulio


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/51893/#review151674
-----------------------------------------------------------


On Oct. 14, 2016, 12:40 p.m., Giulio Eulisse wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/51893/
> -----------------------------------------------------------
> 
> (Updated Oct. 14, 2016, 12:40 p.m.)
> 
> 
> Review request for Aurora, Joshua Cohen and Stephan Erb.
> 
> 
> Repository: aurora
> 
> 
> Description
> -------
> 
> Allow cookie based authentication
> 
> This allows aurora client to connect to servers which are behind a frontend which expects
some sort of cookie to autheticate and authorize users. The cookie should be stored in MozillanCookieJar
format in a file named `~/.aurora-token`.
> 
> 
> Diffs
> -----
> 
>   RELEASE-NOTES.md 1819eaa20cf5014228643a1e120316d646cc2824 
>   docs/operations/security.md 46e0b8a9db654f52467f9adf36307a6a97a7a3ec 
>   src/main/python/apache/aurora/admin/aurora_admin.py fbebbab8c827b5695042d18770d850e31fc38122

>   src/main/python/apache/aurora/client/cli/client.py fa0c2648c5ff7ea6c9d949cf8cd9b9795d452e98

>   src/main/python/apache/aurora/common/cookie_auth_module.py PRE-CREATION 
>   src/test/python/apache/aurora/common/test_cookie_auth_module.py PRE-CREATION 
> 
> Diff: https://reviews.apache.org/r/51893/diff/
> 
> 
> Testing
> -------
> 
> $ cat ~/aurora/clusters.json
> [
> {
>   "name": "build",
>   "scheduler_uri": "https://aliaurora.cern.ch",
>   "auth_mechanism": "COOKIE"
> }
> ]
> $ dist/aurora.pex quota get build/root
> 
> 
> Thanks,
> 
> Giulio Eulisse
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message