Authentication for aurora scheduler webui

[Bhuvan Arumugam <bh...@apache.org>]

Hello,

This is similar to this thread [1], but for aurora scheduler. We are
implementing cookie based authentication for aurora scheduler (port:
8080). It is a single sign-on implementation. The unauthenticated
users will be redirected to a login service. After user is
successfully authenticated in the login service, a cookie will be
added in this domain. The cookie is validated against the login
service, before the page is rendered.

I wish to get input on the design we are planning to implement, for
aurora scheduler. Ideally, we want to grant access to aurora scheduler
only for authenticated users.

The requests are processed using jetty server and servlet container.
Precisely, they are processed using
org.apache.aurora.scheduler.http.JettyServerModule. The http handle
for every request are accessible from here. Most of requests, if not
all, are served by filter based handlers,
org.apache.aurora.scheduler.http.CorsFilter is one among many. The
doFilter() method is overridden in these filters.

To implement authentication, we'll fix the filters to deal with login
rediect, r/w cookie & validate the session. The filter would check for
the cookie. If auth cookie is not present, user will be redirected to
the auth service. If auth cookie is present, it'll be validated and
http filter will be processed.

The authentication hooks could be added in following filters:

  1. org.apache.aurora.scheduler.http.CorsFilter
  2. org.apache.aurora.scheduler.http.LeaderRedirectFilter
  3. org.apache.aurora.scheduler.http.AbstractFilter

Is there a better approach to implement authentication in aurora scheduler?

[1] http://mail-archives.apache.org/mod_mbox/incubator-aurora-dev/201408.mbox/%3CCAK0Yc077KshTifyB43X4%2BTp4OW15qrV3J4jpLR4v36v5yw181Q

Thank you,
-- 
Regards,
Bhuvan Arumugam
www.livecipher.com

Re: Authentication for aurora scheduler webui

[Bhuvan Arumugam <bh...@apache.org>]

On Thu, Aug 14, 2014 at 11:20 AM, Bill Farner <wf...@apache.org> wrote:
> Disclaimer: I am far from an expert in security.
>
> As for mechanics of where auth code should live, a new HTTP filter sounds
> like the best approach.
>
> Since the scheduler already does authentication for the API, ideally the
> mechanics of the two will be the same.  This might mean that the
> authentication you propose actually obviates the existing authentication.
>  However, i would like to avoid forcing the use of an *external* SSO
> server.  For example, if we proceed with kerberos integration, the browser
> might use SPNEGO to authenticat.  Point being that the interfaces we define
> should be generic enough to support that approach as well.

We are using SPNEGO based auth for aurora clients, using kerberos. It
is implemented as a separate filter. The web based authentication is
performed using cookies, for the same kerberos server. Originally, I
thought SPNEGO is supported only in Safari. Looks like browsers like
Firefox, Chrome also support SPNEGO. I'll investigate if it's feasible
to implement web based authentication using SPNEGO, instead of using
cookies with our authentication system. If it's true, we'll leverage
the auth filter we already use for authenticating cli client.

Thank you, Bill!

> -=Bill
>
>
> On Wed, Aug 13, 2014 at 1:35 PM, Bhuvan Arumugam <bh...@apache.org> wrote:
>
>> Hello,
>>
>> This is similar to this thread [1], but for aurora scheduler. We are
>> implementing cookie based authentication for aurora scheduler (port:
>> 8080). It is a single sign-on implementation. The unauthenticated
>> users will be redirected to a login service. After user is
>> successfully authenticated in the login service, a cookie will be
>> added in this domain. The cookie is validated against the login
>> service, before the page is rendered.
>>
>> I wish to get input on the design we are planning to implement, for
>> aurora scheduler. Ideally, we want to grant access to aurora scheduler
>> only for authenticated users.
>>
>> The requests are processed using jetty server and servlet container.
>> Precisely, they are processed using
>> org.apache.aurora.scheduler.http.JettyServerModule. The http handle
>> for every request are accessible from here. Most of requests, if not
>> all, are served by filter based handlers,
>> org.apache.aurora.scheduler.http.CorsFilter is one among many. The
>> doFilter() method is overridden in these filters.
>>
>> To implement authentication, we'll fix the filters to deal with login
>> rediect, r/w cookie & validate the session. The filter would check for
>> the cookie. If auth cookie is not present, user will be redirected to
>> the auth service. If auth cookie is present, it'll be validated and
>> http filter will be processed.
>>
>> The authentication hooks could be added in following filters:
>>
>>   1. org.apache.aurora.scheduler.http.CorsFilter
>>   2. org.apache.aurora.scheduler.http.LeaderRedirectFilter
>>   3. org.apache.aurora.scheduler.http.AbstractFilter
>>
>> Is there a better approach to implement authentication in aurora scheduler?
>>
>> [1]
>> http://mail-archives.apache.org/mod_mbox/incubator-aurora-dev/201408.mbox/%3CCAK0Yc077KshTifyB43X4%2BTp4OW15qrV3J4jpLR4v36v5yw181Q
>>
>> Thank you,
>> --
>> Regards,
>> Bhuvan Arumugam
>> www.livecipher.com
>>



-- 
Regards,
Bhuvan Arumugam
www.livecipher.com

Re: Authentication for aurora scheduler webui

[Bill Farner <wf...@apache.org>]

Disclaimer: I am far from an expert in security.

As for mechanics of where auth code should live, a new HTTP filter sounds
like the best approach.

Since the scheduler already does authentication for the API, ideally the
mechanics of the two will be the same.  This might mean that the
authentication you propose actually obviates the existing authentication.
 However, i would like to avoid forcing the use of an *external* SSO
server.  For example, if we proceed with kerberos integration, the browser
might use SPNEGO to authenticat.  Point being that the interfaces we define
should be generic enough to support that approach as well.


-=Bill


On Wed, Aug 13, 2014 at 1:35 PM, Bhuvan Arumugam <bh...@apache.org> wrote:

> Hello,
>
> This is similar to this thread [1], but for aurora scheduler. We are
> implementing cookie based authentication for aurora scheduler (port:
> 8080). It is a single sign-on implementation. The unauthenticated
> users will be redirected to a login service. After user is
> successfully authenticated in the login service, a cookie will be
> added in this domain. The cookie is validated against the login
> service, before the page is rendered.
>
> I wish to get input on the design we are planning to implement, for
> aurora scheduler. Ideally, we want to grant access to aurora scheduler
> only for authenticated users.
>
> The requests are processed using jetty server and servlet container.
> Precisely, they are processed using
> org.apache.aurora.scheduler.http.JettyServerModule. The http handle
> for every request are accessible from here. Most of requests, if not
> all, are served by filter based handlers,
> org.apache.aurora.scheduler.http.CorsFilter is one among many. The
> doFilter() method is overridden in these filters.
>
> To implement authentication, we'll fix the filters to deal with login
> rediect, r/w cookie & validate the session. The filter would check for
> the cookie. If auth cookie is not present, user will be redirected to
> the auth service. If auth cookie is present, it'll be validated and
> http filter will be processed.
>
> The authentication hooks could be added in following filters:
>
>   1. org.apache.aurora.scheduler.http.CorsFilter
>   2. org.apache.aurora.scheduler.http.LeaderRedirectFilter
>   3. org.apache.aurora.scheduler.http.AbstractFilter
>
> Is there a better approach to implement authentication in aurora scheduler?
>
> [1]
> http://mail-archives.apache.org/mod_mbox/incubator-aurora-dev/201408.mbox/%3CCAK0Yc077KshTifyB43X4%2BTp4OW15qrV3J4jpLR4v36v5yw181Q
>
> Thank you,
> --
> Regards,
> Bhuvan Arumugam
> www.livecipher.com
>