You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mesos.apache.org by Bhuvan Arumugam <bh...@apache.org> on 2014/08/23 02:36:06 UTC
Differentiate user requests & protobuf messages
Hello,
We use auth/authz implementation for frameworks and slaves. They are
neat! This thread is about auth for web ui, between master and user.
We are implementing authentication for master web ui (port: 5050). The
master seem to serve both user requests and protobuf messages from
slave & frameworks on same port. Right? We want to authenticate user
requests only. Is there a way to differentiate these messages?
Based on how these messages can be differentiated, we are thinking to
run mesos master behind a proxy, apache or apache traffic server,
primarily for 2 reasons:
1. authentication. The auth could be implemented through apache
module or ATS plugin.
2. security. serve user requests through https.
If we use ATS, it may also solve caching problem; but we aren't
solving this problem right now.
Making changes to mesos to address these concern doesn't look neat.
Mesos seem to return complete json blob and all magic is done at the
client side, in angularjs. Mesos master isn't a full fletched http
server. It's not meant to keep track of user session; dealing with
http cookies/headers/redirection are non-trivial.
Anyone running mesos master behind proxy, or solved same problem differently?
--
Regards,
Bhuvan Arumugam
www.livecipher.com
Re: Differentiate user requests & protobuf messages
Posted by Bhuvan Arumugam <bh...@apache.org>.
On Mon, Aug 25, 2014 at 5:03 PM, Vinod Kone <vi...@gmail.com> wrote:
> See my answers inline.
>
>
>> Based on what you say, looks like there are more HTTP endpoints (rw)
>> exposed to slaves and frameworks, like /shutdown. We don't want to
>> implement auth for these endpoints, atm.
>>
>
> Yes. There are more user visible endpoints. See "master:port/help" for the
> list of endpoints.
>
> That said, i think, we should authenticate /master/state.json only.
>> Can I assume, this can be implemented in Master::Http::state method,
>> using process::http::Request and process::http::Response? Or, does
>> slave/framework use /master/state.json endpoint? Any changes to this
>> method will not affect protobuf message exchange between master and
>> slave/framework, I think. Correct me if i'm wrong.
>>
>
> For authorizing static http endpoints, we could resurrect some code that
> didn't make it into 0.20.0. See the diff here (
> https://github.com/apache/mesos/commit/a5cc9b435aad080a79230f0366a6ce77116c95a4)
> and let me know if that is what you are looking for.
It's more for authorizing frameworks. We looking for authenticating
users for certain HTTP endpoints. If i understand right, the above
patch expect certain authz credentials like principal & role for
framework registration and principal & user for running tasks. For web
requests, i don't think angularJS is exchanging any credential or
query-param with master. It's always GET specific json.
We are thinking to solve this problem by running a proxy in front of
each mesos master and implement authN based on path and/or User-Agent.
We'll keep you posted if we want any changes to be made in mesos.
> Note, the HTTP endpoints exposed by master for web requests do not impact
> the internal HTTP endpoints used for communicating with frameworks/slaves.
Good to know. This will make our implementation simple, as we don't
want to authenticate HTTP requests from frameworks/slaves.
Thank you,
--
Regards,
Bhuvan Arumugam
www.livecipher.com
Re: Differentiate user requests & protobuf messages
Posted by Vinod Kone <vi...@gmail.com>.
See my answers inline.
> Based on what you say, looks like there are more HTTP endpoints (rw)
> exposed to slaves and frameworks, like /shutdown. We don't want to
> implement auth for these endpoints, atm.
>
Yes. There are more user visible endpoints. See "master:port/help" for the
list of endpoints.
That said, i think, we should authenticate /master/state.json only.
> Can I assume, this can be implemented in Master::Http::state method,
> using process::http::Request and process::http::Response? Or, does
> slave/framework use /master/state.json endpoint? Any changes to this
> method will not affect protobuf message exchange between master and
> slave/framework, I think. Correct me if i'm wrong.
>
For authorizing static http endpoints, we could resurrect some code that
didn't make it into 0.20.0. See the diff here (
https://github.com/apache/mesos/commit/a5cc9b435aad080a79230f0366a6ce77116c95a4)
and let me know if that is what you are looking for.
Note, the HTTP endpoints exposed by master for web requests do not impact
the internal HTTP endpoints used for communicating with frameworks/slaves.
Re: Differentiate user requests & protobuf messages
Posted by Bhuvan Arumugam <bh...@apache.org>.
We want t
On Mon, Aug 25, 2014 at 10:40 AM, Vinod Kone <vi...@gmail.com> wrote:
> Hey Bhuvan,
>
> The "ShutdownFramework" ACL is an example of authN/authZ of HTTP endpoint
> ("/shutdown") from a user perspective. Depending on what HTTP endpoints you
> are planning to auth we could conceivably add more ACLs or add a generic
> HTTP endpoint ACL. Of course this still doesn't give you sessions, caching,
> or encryption.
Vinod, we want to authenticate all web requests, all read-only.
Irrespective of the link/tabs we click {/slaves, /frameworks,
/offers}, server always return this json /master/state.json. The
angularjs does the filtering, based on the user action.
Based on what you say, looks like there are more HTTP endpoints (rw)
exposed to slaves and frameworks, like /shutdown. We don't want to
implement auth for these endpoints, atm.
That said, i think, we should authenticate /master/state.json only.
Can I assume, this can be implemented in Master::Http::state method,
using process::http::Request and process::http::Response? Or, does
slave/framework use /master/state.json endpoint? Any changes to this
method will not affect protobuf message exchange between master and
slave/framework, I think. Correct me if i'm wrong.
> On Fri, Aug 22, 2014 at 5:36 PM, Bhuvan Arumugam <bh...@apache.org> wrote:
>
>> Hello,
>>
>> We use auth/authz implementation for frameworks and slaves. They are
>> neat! This thread is about auth for web ui, between master and user.
>>
>> We are implementing authentication for master web ui (port: 5050). The
>> master seem to serve both user requests and protobuf messages from
>> slave & frameworks on same port. Right? We want to authenticate user
>> requests only. Is there a way to differentiate these messages?
>>
>> Based on how these messages can be differentiated, we are thinking to
>> run mesos master behind a proxy, apache or apache traffic server,
>> primarily for 2 reasons:
>> 1. authentication. The auth could be implemented through apache
>> module or ATS plugin.
>> 2. security. serve user requests through https.
>>
>> If we use ATS, it may also solve caching problem; but we aren't
>> solving this problem right now.
>>
>> Making changes to mesos to address these concern doesn't look neat.
>> Mesos seem to return complete json blob and all magic is done at the
>> client side, in angularjs. Mesos master isn't a full fletched http
>> server. It's not meant to keep track of user session; dealing with
>> http cookies/headers/redirection are non-trivial.
>>
>> Anyone running mesos master behind proxy, or solved same problem
>> differently?
>>
>> --
>> Regards,
>> Bhuvan Arumugam
>> www.livecipher.com
>>
--
Regards,
Bhuvan Arumugam
www.livecipher.com
Re: Differentiate user requests & protobuf messages
Posted by Vinod Kone <vi...@gmail.com>.
Hey Bhuvan,
The "ShutdownFramework" ACL is an example of authN/authZ of HTTP endpoint
("/shutdown") from a user perspective. Depending on what HTTP endpoints you
are planning to auth we could conceivably add more ACLs or add a generic
HTTP endpoint ACL. Of course this still doesn't give you sessions, caching,
or encryption.
On Fri, Aug 22, 2014 at 5:36 PM, Bhuvan Arumugam <bh...@apache.org> wrote:
> Hello,
>
> We use auth/authz implementation for frameworks and slaves. They are
> neat! This thread is about auth for web ui, between master and user.
>
> We are implementing authentication for master web ui (port: 5050). The
> master seem to serve both user requests and protobuf messages from
> slave & frameworks on same port. Right? We want to authenticate user
> requests only. Is there a way to differentiate these messages?
>
> Based on how these messages can be differentiated, we are thinking to
> run mesos master behind a proxy, apache or apache traffic server,
> primarily for 2 reasons:
> 1. authentication. The auth could be implemented through apache
> module or ATS plugin.
> 2. security. serve user requests through https.
>
> If we use ATS, it may also solve caching problem; but we aren't
> solving this problem right now.
>
> Making changes to mesos to address these concern doesn't look neat.
> Mesos seem to return complete json blob and all magic is done at the
> client side, in angularjs. Mesos master isn't a full fletched http
> server. It's not meant to keep track of user session; dealing with
> http cookies/headers/redirection are non-trivial.
>
> Anyone running mesos master behind proxy, or solved same problem
> differently?
>
> --
> Regards,
> Bhuvan Arumugam
> www.livecipher.com
>