mesos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bhuvan Arumugam <bhu...@apache.org>
Subject Re: Differentiate user requests & protobuf messages
Date Mon, 25 Aug 2014 18:26:33 GMT
We want t

On Mon, Aug 25, 2014 at 10:40 AM, Vinod Kone <vinodkone@gmail.com> wrote:
> Hey Bhuvan,
>
> The "ShutdownFramework" ACL is an example of authN/authZ of HTTP endpoint
> ("/shutdown") from a user perspective. Depending on what HTTP endpoints you
> are planning to auth we could conceivably add more ACLs or add a generic
> HTTP endpoint ACL. Of course this still doesn't give you sessions, caching,
> or encryption.

Vinod, we want to authenticate all web requests, all read-only.
Irrespective of the link/tabs we click {/slaves, /frameworks,
/offers}, server always return this json /master/state.json. The
angularjs does the filtering, based on the user action.

Based on what you say, looks like there are more HTTP endpoints (rw)
exposed to slaves and frameworks, like /shutdown. We don't want to
implement auth for these endpoints, atm.

That said, i think, we should authenticate /master/state.json only.
Can I assume, this can be implemented in Master::Http::state method,
using process::http::Request and process::http::Response? Or, does
slave/framework use /master/state.json endpoint? Any changes to this
method will not affect protobuf message exchange between master and
slave/framework, I think. Correct me if i'm wrong.

> On Fri, Aug 22, 2014 at 5:36 PM, Bhuvan Arumugam <bhuvan@apache.org> wrote:
>
>> Hello,
>>
>> We use auth/authz implementation for frameworks and slaves. They are
>> neat! This thread is about auth for web ui, between master and user.
>>
>> We are implementing authentication for master web ui (port: 5050). The
>> master seem to serve both user requests and protobuf messages from
>> slave & frameworks on same port. Right? We want to authenticate user
>> requests only. Is there a way to differentiate these messages?
>>
>> Based on how these messages can be differentiated, we are thinking to
>> run mesos master behind a proxy, apache or apache traffic server,
>> primarily for 2 reasons:
>>   1. authentication. The auth could be implemented through apache
>> module or ATS plugin.
>>   2. security. serve user requests through https.
>>
>> If we use ATS, it may also solve caching problem; but we aren't
>> solving this problem right now.
>>
>> Making changes to mesos to address these concern doesn't look neat.
>> Mesos seem to return complete json blob and all magic is done at the
>> client side, in angularjs. Mesos master isn't a full fletched http
>> server. It's not meant to keep track of user session; dealing with
>> http cookies/headers/redirection are non-trivial.
>>
>> Anyone running mesos master behind proxy, or solved same problem
>> differently?
>>
>> --
>> Regards,
>> Bhuvan Arumugam
>> www.livecipher.com
>>



-- 
Regards,
Bhuvan Arumugam
www.livecipher.com

Mime
View raw message