You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Adam B (JIRA)" <ji...@apache.org> on 2017/05/22 16:44:04 UTC
[jira] [Updated] (MESOS-7530) HTTP authenticators modules never get
the realm they are registered for
[ https://issues.apache.org/jira/browse/MESOS-7530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Adam B updated MESOS-7530:
--------------------------
Labels: mesosphere (was: )
> HTTP authenticators modules never get the realm they are registered for
> -----------------------------------------------------------------------
>
> Key: MESOS-7530
> URL: https://issues.apache.org/jira/browse/MESOS-7530
> Project: Mesos
> Issue Type: Bug
> Components: modules, security
> Affects Versions: 1.3.0
> Reporter: Alexander Rojas
> Labels: mesosphere
>
> When someone creates a module to provide HTTP Authenticator, only in the master it can be register for one of three realms:
> * {{READONLY_HTTP_AUTHENTICATION_REALM}}
> * {{READWRITE_HTTP_AUTHENTICATION_REALM}}
> * {{DEFAULT_HTTP_FRAMEWORK_AUTHENTICATION_REALM}}
> These realms are passed to the HTTP basic authenticator when it is constructed:
> {code}
> Result<process::http::authentication::Authenticator*> createBasicAuthenticator(
> const string& realm,
> const string& authenticatorName,
> const Option<Credentials>& credentials)
> {
> if (credentials.isNone()) {
> return Error(
> "No credentials provided for the default '" +
> string(internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) +
> "' HTTP authenticator for realm '" + realm + "'");
> }
> LOG(INFO) << "Creating default '"
> << internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR
> << "' HTTP authenticator for realm '" << realm << "'";
> return BasicAuthenticatorFactory::create(realm, credentials.get());
> }
> {code}
> However modules don't get to configure their configured realm at construction and the API doesn't allow to change that afterwards:
> {code}
> Result<process::http::authentication::Authenticator*> createCustomAuthenticator(
> const string& realm,
> const string& authenticatorName)
> {
> if (!modules::ModuleManager::contains<
> process::http::authentication::Authenticator>(authenticatorName)) {
> return Error(
> "HTTP authenticator '" + authenticatorName + "' not found. "
> "Check the spelling (compare to '" +
> string(internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) +
> "') or verify that the authenticator was loaded "
> "successfully (see --modules)");
> }
> LOG(INFO) << "Creating '" << authenticatorName << "' HTTP authenticator "
> << "for realm '" << realm << "'";
> return modules::ModuleManager::create<
> process::http::authentication::Authenticator>(authenticatorName);
> }
> {code}
> Since the same authenticator module is used for all the realms, it is impossible to provide one authenticator per realm if using modules.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)