You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@mesos.apache.org by "Kishchukov, Dmitrii (NIH/NLM/NCBI) [C]" <dm...@nih.gov> on 2018/12/06 17:28:38 UTC
FW: full Zookeeper authentication
Mesos allow using only digest authentication scheme for Zookeeper. Which is bad because Zookeeper has quite a flexible security model.
It is easy to make you own authenticator with its own scheme name.
To support fully Zookeeper authentication, Mesos has pass two items into Zookeeper:
scheme and credentials.
credentials can have different format depending on authentication scheme. For digest scheme it is ‘login:password’
All Mesos should do just pass scheme and credentials to Zookeeper.
Another improvement might be be to configure credentials via file instead of URI
For example it can be two command line options:
--zk_auth_scheme and –zk_auth_credentials
It can be used like this:
--zk_auth_scheme=some_custome_scheme –zk_auth_credentials=filename
--zk_auth_credentials can just get all contents of the file as credentials string.
Class Authentication in Mesos already contains all that we need. The problem is what Mesos pass to the constructor.
--
Dmitrii Kishchukov.
Re: FW: full Zookeeper authentication
Posted by Vinod Kone <vi...@apache.org>.
Dmitrii.
That approach sounds reasonable. Would you like to work on this? Are you
looking for a reviewer/shepherd?
On Thu, Dec 6, 2018 at 11:28 AM Kishchukov, Dmitrii (NIH/NLM/NCBI) [C] <
dmitrii.kishchukov@nih.gov> wrote:
> Mesos allow using only digest authentication scheme for Zookeeper. Which
> is bad because Zookeeper has quite a flexible security model.
> It is easy to make you own authenticator with its own scheme name.
>
> To support fully Zookeeper authentication, Mesos has pass two items into
> Zookeeper:
> scheme and credentials.
> credentials can have different format depending on authentication scheme.
> For digest scheme it is ‘login:password’
>
> All Mesos should do just pass scheme and credentials to Zookeeper.
>
> Another improvement might be be to configure credentials via file instead
> of URI
>
> For example it can be two command line options:
> --zk_auth_scheme and –zk_auth_credentials
>
> It can be used like this:
> --zk_auth_scheme=some_custome_scheme –zk_auth_credentials=filename
>
> --zk_auth_credentials can just get all contents of the file as credentials
> string.
>
> Class Authentication in Mesos already contains all that we need. The
> problem is what Mesos pass to the constructor.
>
>
> --
>
> Dmitrii Kishchukov.
>
>
Re: FW: full Zookeeper authentication
Posted by Vinod Kone <vi...@apache.org>.
Dmitrii.
That approach sounds reasonable. Would you like to work on this? Are you
looking for a reviewer/shepherd?
On Thu, Dec 6, 2018 at 11:28 AM Kishchukov, Dmitrii (NIH/NLM/NCBI) [C] <
dmitrii.kishchukov@nih.gov> wrote:
> Mesos allow using only digest authentication scheme for Zookeeper. Which
> is bad because Zookeeper has quite a flexible security model.
> It is easy to make you own authenticator with its own scheme name.
>
> To support fully Zookeeper authentication, Mesos has pass two items into
> Zookeeper:
> scheme and credentials.
> credentials can have different format depending on authentication scheme.
> For digest scheme it is ‘login:password’
>
> All Mesos should do just pass scheme and credentials to Zookeeper.
>
> Another improvement might be be to configure credentials via file instead
> of URI
>
> For example it can be two command line options:
> --zk_auth_scheme and –zk_auth_credentials
>
> It can be used like this:
> --zk_auth_scheme=some_custome_scheme –zk_auth_credentials=filename
>
> --zk_auth_credentials can just get all contents of the file as credentials
> string.
>
> Class Authentication in Mesos already contains all that we need. The
> problem is what Mesos pass to the constructor.
>
>
> --
>
> Dmitrii Kishchukov.
>
>