You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Adam B (JIRA)" <ji...@apache.org> on 2017/05/22 16:44:04 UTC

[jira] [Updated] (MESOS-7530) HTTP authenticators modules never get the realm they are registered for

     [ https://issues.apache.org/jira/browse/MESOS-7530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Adam B updated MESOS-7530:
--------------------------
    Labels: mesosphere  (was: )

> HTTP authenticators modules never get the realm they are registered for
> -----------------------------------------------------------------------
>
>                 Key: MESOS-7530
>                 URL: https://issues.apache.org/jira/browse/MESOS-7530
>             Project: Mesos
>          Issue Type: Bug
>          Components: modules, security
>    Affects Versions: 1.3.0
>            Reporter: Alexander Rojas
>              Labels: mesosphere
>
> When someone creates a module to provide HTTP Authenticator, only in the master it can be register for one of three realms:
> * {{READONLY_HTTP_AUTHENTICATION_REALM}} 
> * {{READWRITE_HTTP_AUTHENTICATION_REALM}}
> * {{DEFAULT_HTTP_FRAMEWORK_AUTHENTICATION_REALM}}
> These realms are passed to the HTTP basic authenticator when it is constructed:
> {code}
> Result<process::http::authentication::Authenticator*> createBasicAuthenticator(
>     const string& realm,
>     const string& authenticatorName,
>     const Option<Credentials>& credentials)
> {
>   if (credentials.isNone()) {
>     return Error(
>         "No credentials provided for the default '" +
>         string(internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) +
>         "' HTTP authenticator for realm '" + realm + "'");
>   }
>   LOG(INFO) << "Creating default '"
>             << internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR
>             << "' HTTP authenticator for realm '" << realm << "'";
>   return BasicAuthenticatorFactory::create(realm, credentials.get());
> }
> {code}
> However modules don't get to configure their configured realm at construction and the API doesn't allow to change that afterwards:
> {code}
> Result<process::http::authentication::Authenticator*> createCustomAuthenticator(
>     const string& realm,
>     const string& authenticatorName)
> {
>   if (!modules::ModuleManager::contains<
>         process::http::authentication::Authenticator>(authenticatorName)) {
>     return Error(
>         "HTTP authenticator '" + authenticatorName + "' not found. "
>         "Check the spelling (compare to '" +
>         string(internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) +
>         "') or verify that the authenticator was loaded "
>         "successfully (see --modules)");
>   }
>   LOG(INFO) << "Creating '" << authenticatorName << "' HTTP authenticator "
>             << "for realm '" << realm << "'";
>   return modules::ModuleManager::create<
>       process::http::authentication::Authenticator>(authenticatorName);
> }
> {code}
> Since the same authenticator module is used for all the realms, it is impossible to provide one authenticator per realm if using modules.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)