You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@aurora.apache.org by Brian Wickman <wi...@gmail.com> on 2014/01/09 19:38:53 UTC

Re: Review Request 16710: Support multiple simulataneous auth mechanisms.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/16710/#review31445
-----------------------------------------------------------


http://i.imgur.com/xVyoSl.jpg


src/main/java/org/apache/aurora/scheduler/thrift/aop/UserCapabilityInterceptor.java
<https://reviews.apache.org/r/16710/#comment59939>

    this confuses me -- isn't this doing the same thing as SessionKeyMechanismInterceptor?


- Brian Wickman


On Jan. 8, 2014, 12:45 a.m., Kevin Sweeney wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/16710/
> -----------------------------------------------------------
> 
> (Updated Jan. 8, 2014, 12:45 a.m.)
> 
> 
> Review request for Aurora, Suman Karumuri, Maxim Khutornenko, Bill Farner, and Brian Wickman.
> 
> 
> Repository: aurora
> 
> 
> Description
> -------
> 
> Support multiple simultaneous auth mechanisms.
> 
> Currently the SessionKey thrift struct has a mechanism field that the scheduler ignores. This change would make the scheduler enforce usage of this field and dispatch the choice of auth mechanism to an appropriately-registered handler. This change also adds a handler registry (via a MapBinder) to allow for independent auth subsystems to register without knowledge of each other. For example, an LDAP_SIMPLE_BIND mechanism might contact an SSO server and be used by human users while an OAUTH2 mechanism might be used by another service to perform automated quota management. Each of these subsystems could be enabled and configured independently and would coexist on the same cluster.
> 
> 
> Diffs
> -----
> 
>   src/main/java/org/apache/aurora/auth/UnsecureAuthModule.java 0248c95745fb49f92c1b0db08b878adf9f863a3f 
>   src/main/java/org/apache/aurora/scheduler/app/SchedulerMain.java c69a2a6c57139f0ad27b1084a24354b80d2465c6 
>   src/main/java/org/apache/aurora/scheduler/thrift/SchedulerThriftInterface.java c1a11bdb91c5e764864324d26248d1783af8048b 
>   src/main/java/org/apache/aurora/scheduler/thrift/aop/AopModule.java 7c29094c138238ddf0d34d9f795b8aea8f17b421 
>   src/main/java/org/apache/aurora/scheduler/thrift/aop/Interceptors.java ee22af10a469db1a3cc46d9092285977b5526f9e 
>   src/main/java/org/apache/aurora/scheduler/thrift/aop/LoggingInterceptor.java e66a885302c492b9669e9b526edd7f3c2e9f3ef7 
>   src/main/java/org/apache/aurora/scheduler/thrift/aop/SessionKeyMechanismInterceptor.java PRE-CREATION 
>   src/main/java/org/apache/aurora/scheduler/thrift/aop/UserCapabilityInterceptor.java 8e6e52d6418f5e6809f21b7ab83e6ead0f29be19 
>   src/main/java/org/apache/aurora/scheduler/thrift/auth/ThriftAuthModule.java 1de64bc608d7e0191f81986166504a182374ada9 
>   src/test/java/org/apache/aurora/scheduler/thrift/SchedulerThriftInterfaceTest.java 91c1c24448092e1b3454844ab8074ed030383594 
>   src/test/java/org/apache/aurora/scheduler/thrift/ThriftIT.java cce27a0e37452f370a3729b6b05bf0bea29f85f6 
>   src/test/java/org/apache/aurora/scheduler/thrift/aop/AopModuleTest.java b510bf1222961329c4eae0a17ff0dfb274ee55a8 
> 
> Diff: https://reviews.apache.org/r/16710/diff/
> 
> 
> Testing
> -------
> 
> ./gradlew build
> 
> 
> Thanks,
> 
> Kevin Sweeney
> 
>

Re: Review Request 16710: Support multiple simulataneous auth mechanisms.

Posted by Kevin Sweeney <ke...@apache.org>.


> On Jan. 9, 2014, 10:38 a.m., Brian Wickman wrote:
> > src/main/java/org/apache/aurora/scheduler/thrift/aop/UserCapabilityInterceptor.java, line 85
> > <https://reviews.apache.org/r/16710/diff/1/?file=418228#file418228line85>
> >
> >     this confuses me -- isn't this doing the same thing as SessionKeyMechanismInterceptor?

It is - except it's only configured to intercept "admin" methods (methods that come from AuroraAdmin but not any of its superclasses).


- Kevin


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/16710/#review31445
-----------------------------------------------------------


On Jan. 7, 2014, 4:45 p.m., Kevin Sweeney wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/16710/
> -----------------------------------------------------------
> 
> (Updated Jan. 7, 2014, 4:45 p.m.)
> 
> 
> Review request for Aurora, Suman Karumuri, Maxim Khutornenko, Bill Farner, and Brian Wickman.
> 
> 
> Repository: aurora
> 
> 
> Description
> -------
> 
> Support multiple simultaneous auth mechanisms.
> 
> Currently the SessionKey thrift struct has a mechanism field that the scheduler ignores. This change would make the scheduler enforce usage of this field and dispatch the choice of auth mechanism to an appropriately-registered handler. This change also adds a handler registry (via a MapBinder) to allow for independent auth subsystems to register without knowledge of each other. For example, an LDAP_SIMPLE_BIND mechanism might contact an SSO server and be used by human users while an OAUTH2 mechanism might be used by another service to perform automated quota management. Each of these subsystems could be enabled and configured independently and would coexist on the same cluster.
> 
> 
> Diffs
> -----
> 
>   src/main/java/org/apache/aurora/auth/UnsecureAuthModule.java 0248c95745fb49f92c1b0db08b878adf9f863a3f 
>   src/main/java/org/apache/aurora/scheduler/app/SchedulerMain.java c69a2a6c57139f0ad27b1084a24354b80d2465c6 
>   src/main/java/org/apache/aurora/scheduler/thrift/SchedulerThriftInterface.java c1a11bdb91c5e764864324d26248d1783af8048b 
>   src/main/java/org/apache/aurora/scheduler/thrift/aop/AopModule.java 7c29094c138238ddf0d34d9f795b8aea8f17b421 
>   src/main/java/org/apache/aurora/scheduler/thrift/aop/Interceptors.java ee22af10a469db1a3cc46d9092285977b5526f9e 
>   src/main/java/org/apache/aurora/scheduler/thrift/aop/LoggingInterceptor.java e66a885302c492b9669e9b526edd7f3c2e9f3ef7 
>   src/main/java/org/apache/aurora/scheduler/thrift/aop/SessionKeyMechanismInterceptor.java PRE-CREATION 
>   src/main/java/org/apache/aurora/scheduler/thrift/aop/UserCapabilityInterceptor.java 8e6e52d6418f5e6809f21b7ab83e6ead0f29be19 
>   src/main/java/org/apache/aurora/scheduler/thrift/auth/ThriftAuthModule.java 1de64bc608d7e0191f81986166504a182374ada9 
>   src/test/java/org/apache/aurora/scheduler/thrift/SchedulerThriftInterfaceTest.java 91c1c24448092e1b3454844ab8074ed030383594 
>   src/test/java/org/apache/aurora/scheduler/thrift/ThriftIT.java cce27a0e37452f370a3729b6b05bf0bea29f85f6 
>   src/test/java/org/apache/aurora/scheduler/thrift/aop/AopModuleTest.java b510bf1222961329c4eae0a17ff0dfb274ee55a8 
> 
> Diff: https://reviews.apache.org/r/16710/diff/
> 
> 
> Testing
> -------
> 
> ./gradlew build
> 
> 
> Thanks,
> 
> Kevin Sweeney
> 
>