You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Greg Mann (JIRA)" <ji...@apache.org> on 2016/03/09 20:55:40 UTC

[jira] [Updated] (MESOS-4902) Add authentication to agent endpoints /files, /profiler, and /logging

     [ https://issues.apache.org/jira/browse/MESOS-4902?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Greg Mann updated MESOS-4902:
-----------------------------
    Description: 
Adding HTTP authentication to these endpoints is a bit more complicated than is  {{/profiler}} and {{/logging}} endpoints are defined at the libprocess level, while {{/files}} is defined in code that is shared by the master and agent.

While working on MESOS-4850, it became apparent that since our tests use the same instance of libprocess for both master and agent, different default authentication realms must be used for master/agent so that HTTP authentication can be independently enabled/disabled for each.

We should establish a mechanism for making an endpoint authenticated that allows us to:
1) Install an endpoint like {{/files}} with different authentication realms for the master and agent
2) Avoid hard-coding a default authentication realm into libprocess, again to permit the use of different authentication realms for the master and agent

Another option would be to use a single default authentication realm and always enable or disable HTTP authentication for *both* the master and agent in tests. However, this wouldn't allow us to test scenarios where HTTP authentication is enabled on one but disabled on the other.

  was:
Adding HTTP authentication to these endpoints is a bit more complicated than is the case for the existing authenticated endpoints. {{/profiler}} and {{/logging}} endpoints are defined at the libprocess level, while {{/files}} is defined in code that is shared by the master and agent.

While working on MESOS-4850, it became apparent that since our tests use the same instance of libprocess for both master and agent, different default authentication realms must be used for master/agent so that HTTP authentication can be independently enabled/disabled for each.

We should establish a mechanism for making an endpoint authenticated that allows us to:
1) Install an endpoint like {{/files}} with different authentication realms for the master and agent
2) Avoid hard-coding a default authentication realm into libprocess, again to permit the use of different authentication realms for the master and agent

Another option would be to use a single default authentication realm and always enable or disable HTTP authentication for *both* the master and agent in tests. However, this wouldn't allow us to test scenarios where HTTP authentication is enabled on one but disabled on the other.


> Add authentication to agent endpoints /files, /profiler, and /logging
> ---------------------------------------------------------------------
>
>                 Key: MESOS-4902
>                 URL: https://issues.apache.org/jira/browse/MESOS-4902
>             Project: Mesos
>          Issue Type: Improvement
>          Components: HTTP API
>            Reporter: Greg Mann
>              Labels: authentication, http, mesosphere
>
> Adding HTTP authentication to these endpoints is a bit more complicated than is  {{/profiler}} and {{/logging}} endpoints are defined at the libprocess level, while {{/files}} is defined in code that is shared by the master and agent.
> While working on MESOS-4850, it became apparent that since our tests use the same instance of libprocess for both master and agent, different default authentication realms must be used for master/agent so that HTTP authentication can be independently enabled/disabled for each.
> We should establish a mechanism for making an endpoint authenticated that allows us to:
> 1) Install an endpoint like {{/files}} with different authentication realms for the master and agent
> 2) Avoid hard-coding a default authentication realm into libprocess, again to permit the use of different authentication realms for the master and agent
> Another option would be to use a single default authentication realm and always enable or disable HTTP authentication for *both* the master and agent in tests. However, this wouldn't allow us to test scenarios where HTTP authentication is enabled on one but disabled on the other.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)