mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Mann (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (MESOS-4902) Add authentication to libprocess endpoints
Date Thu, 21 Apr 2016 16:27:25 GMT

    [ https://issues.apache.org/jira/browse/MESOS-4902?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15242554#comment-15242554
] 

Greg Mann edited comment on MESOS-4902 at 4/21/16 4:26 PM:
-----------------------------------------------------------

Reviews here:
https://reviews.apache.org/r/46258/
https://reviews.apache.org/r/46259/
https://reviews.apache.org/r/46260/
https://reviews.apache.org/r/46261/
https://reviews.apache.org/r/46262/
https://reviews.apache.org/r/46497/

The above reviews take care of all listed endpoints except for {{/system/stats.json}}, which
has been deprecated (MESOS-2058).


was (Author: greggomann):
Reviews here:
https://reviews.apache.org/r/46258/
https://reviews.apache.org/r/46259/
https://reviews.apache.org/r/46260/
https://reviews.apache.org/r/46261/
https://reviews.apache.org/r/46262/

The above reviews take care of the {{/logging/toggle}} and {{/metrics/snapshot}} endpoints.
I'll wait to move this ticket to "Reviewable" until the rest of the patches are up.

> Add authentication to libprocess endpoints
> ------------------------------------------
>
>                 Key: MESOS-4902
>                 URL: https://issues.apache.org/jira/browse/MESOS-4902
>             Project: Mesos
>          Issue Type: Improvement
>          Components: HTTP API
>            Reporter: Greg Mann
>            Assignee: Greg Mann
>              Labels: authentication, http, mesosphere, security
>             Fix For: 0.29.0
>
>
> In addition to the endpoints addressed by MESOS-4850 and MESOS-5152, the following endpoints
would also benefit from HTTP authentication:
> * {{/profiler/*}}
> * {{/logging/toggle}}
> * {{/metrics/snapshot}}
> * {{/system/stats.json}}
> Adding HTTP authentication to these endpoints is a bit more complicated because they
are defined at the libprocess level.
> While working on MESOS-4850, it became apparent that since our tests use the same instance
of libprocess for both master and agent, different default authentication realms must be used
for master/agent so that HTTP authentication can be independently enabled/disabled for each.
> We should establish a mechanism for making an endpoint authenticated that allows us to:
> 1) Install an endpoint like {{/files}}, whose code is shared by the master and agent,
with different authentication realms for the master and agent
> 2) Avoid hard-coding a default authentication realm into libprocess, to permit the use
of different authentication realms for the master and agent and to keep application-level
concerns from leaking into libprocess
> Another option would be to use a single default authentication realm and always enable
or disable HTTP authentication for *both* the master and agent in tests. However, this wouldn't
allow us to test scenarios where HTTP authentication is enabled on one but disabled on the
other.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message