Rest API Authentication (1.5 Feature)

[John Omernik <jo...@omernik.com>]

Hey all,

I am not sure if I am jumping the gun on this, or if it's ok to ask a
question based on the MapR 1.4 Developer preview.

The feature that I am talking about is Authentication on the Rest API.
Basically, in the 1.4 Dev preview, the way it's done is through forms based
authentication. If this is how it is going to land in 1.5, I'd like to
discuss here, and perhaps open a JIRA for a small alteration.

Basically, the way it's setup now, if I want to say use Python Requests, I
have to create a cookie jar, auth with one request, and then keep the state
in the request.

What would be nice is using basic auth instead of forms auth. Then I can
include the auth credentials with the request, allowing for single request
API calls.  This will also play out as we use the API more for
administrative tasks (updating/creating storage plugins etc).

I don't mind keeping the forms based auth if no auth is provided (perhaps a
redirect to the login form) to keep it looking nice for Web UI users, but
if basic auth is supplied to allow that to be used instead of the forms
auth?

Basically, if there is a reason for not doing this, I wanted to test the
waters here, if no reason, I'll open a JIRA. I think it would simplify
programatic access down the road, and make the Rest API easier to program
to.

John

Re: Rest API Authentication (1.5 Feature)

[John Omernik <jo...@omernik.com>]

I'd like to open this discussion back up. I am working with a coworker who
pointed out that a REST service should be stateless (
https://en.wikipedia.org/wiki/Representational_state_transfer)  (relevant
quote: using a uniform and predefined set of stateless
<https://en.wikipedia.org/wiki/Stateless_protocol> operations.) That said,
I was explaining to him that I can see why Drill Rest was implemented like
this. It provides better functionality and allows for features more on par
with the JDBC and ODBC interfaces.  I also pointed out that, if you do an
auth call, you don't really have to mess with cookies, as long as you grab
the JSESSIONID returned in the cookies, you can just append that via
;jsessionid=$ID to every request and not have to format your cookies, seems
to work pretty well.

That said, I do think it makes sense to be able to provide a basic auth
header, and then a single request similar to what Venki suggested. It would
then be stateless (if you have to do a login request prior to your query
request, it's not really a stateless call)  and work as people would expect
a rest request to work.

Thoughts?

John


On Wed, Dec 23, 2015 at 12:26 PM, John Omernik <jo...@omernik.com> wrote:

> Ah that makes sense to me (to keep the session open for calls that may
> utilize more than a single request or change settings that need to persist
> from one call to the next).  Ya, I think the basic auth could be nice for
> single calls (in addition to the form based auth) Should I open a JIRA?
>
> On Wed, Dec 23, 2015 at 11:48 AM, Venki Korukanti <
> venki.korukanti@gmail.com> wrote:
>
>> I think it makes sense to have basic auth along with the form auth.
>> Currently we maintain the session which has DrillClient so that all user
>> options are preserved in the login session. In case of basic auth (which
>> are usually point API calls), we can create the DrillClient and destroy
>> after the call.
>>
>> On Wed, Dec 23, 2015 at 5:44 AM, John Omernik <jo...@omernik.com> wrote:
>>
>> > Hey all,
>> >
>> > I am not sure if I am jumping the gun on this, or if it's ok to ask a
>> > question based on the MapR 1.4 Developer preview.
>> >
>> > The feature that I am talking about is Authentication on the Rest API.
>> > Basically, in the 1.4 Dev preview, the way it's done is through forms
>> based
>> > authentication. If this is how it is going to land in 1.5, I'd like to
>> > discuss here, and perhaps open a JIRA for a small alteration.
>> >
>> > Basically, the way it's setup now, if I want to say use Python
>> Requests, I
>> > have to create a cookie jar, auth with one request, and then keep the
>> state
>> > in the request.
>> >
>> > What would be nice is using basic auth instead of forms auth. Then I can
>> > include the auth credentials with the request, allowing for single
>> request
>> > API calls.  This will also play out as we use the API more for
>> > administrative tasks (updating/creating storage plugins etc).
>> >
>> > I don't mind keeping the forms based auth if no auth is provided
>> (perhaps a
>> > redirect to the login form) to keep it looking nice for Web UI users,
>> but
>> > if basic auth is supplied to allow that to be used instead of the forms
>> > auth?
>> >
>> > Basically, if there is a reason for not doing this, I wanted to test the
>> > waters here, if no reason, I'll open a JIRA. I think it would simplify
>> > programatic access down the road, and make the Rest API easier to
>> program
>> > to.
>> >
>> > John
>> >
>>
>
>

Re: Rest API Authentication (1.5 Feature)

[John Omernik <jo...@omernik.com>]

Ah that makes sense to me (to keep the session open for calls that may
utilize more than a single request or change settings that need to persist
from one call to the next).  Ya, I think the basic auth could be nice for
single calls (in addition to the form based auth) Should I open a JIRA?

On Wed, Dec 23, 2015 at 11:48 AM, Venki Korukanti <venki.korukanti@gmail.com
> wrote:

> I think it makes sense to have basic auth along with the form auth.
> Currently we maintain the session which has DrillClient so that all user
> options are preserved in the login session. In case of basic auth (which
> are usually point API calls), we can create the DrillClient and destroy
> after the call.
>
> On Wed, Dec 23, 2015 at 5:44 AM, John Omernik <jo...@omernik.com> wrote:
>
> > Hey all,
> >
> > I am not sure if I am jumping the gun on this, or if it's ok to ask a
> > question based on the MapR 1.4 Developer preview.
> >
> > The feature that I am talking about is Authentication on the Rest API.
> > Basically, in the 1.4 Dev preview, the way it's done is through forms
> based
> > authentication. If this is how it is going to land in 1.5, I'd like to
> > discuss here, and perhaps open a JIRA for a small alteration.
> >
> > Basically, the way it's setup now, if I want to say use Python Requests,
> I
> > have to create a cookie jar, auth with one request, and then keep the
> state
> > in the request.
> >
> > What would be nice is using basic auth instead of forms auth. Then I can
> > include the auth credentials with the request, allowing for single
> request
> > API calls.  This will also play out as we use the API more for
> > administrative tasks (updating/creating storage plugins etc).
> >
> > I don't mind keeping the forms based auth if no auth is provided
> (perhaps a
> > redirect to the login form) to keep it looking nice for Web UI users, but
> > if basic auth is supplied to allow that to be used instead of the forms
> > auth?
> >
> > Basically, if there is a reason for not doing this, I wanted to test the
> > waters here, if no reason, I'll open a JIRA. I think it would simplify
> > programatic access down the road, and make the Rest API easier to program
> > to.
> >
> > John
> >
>

Re: Rest API Authentication (1.5 Feature)

[Venki Korukanti <ve...@gmail.com>]

I think it makes sense to have basic auth along with the form auth.
Currently we maintain the session which has DrillClient so that all user
options are preserved in the login session. In case of basic auth (which
are usually point API calls), we can create the DrillClient and destroy
after the call.

On Wed, Dec 23, 2015 at 5:44 AM, John Omernik <jo...@omernik.com> wrote:

> Hey all,
>
> I am not sure if I am jumping the gun on this, or if it's ok to ask a
> question based on the MapR 1.4 Developer preview.
>
> The feature that I am talking about is Authentication on the Rest API.
> Basically, in the 1.4 Dev preview, the way it's done is through forms based
> authentication. If this is how it is going to land in 1.5, I'd like to
> discuss here, and perhaps open a JIRA for a small alteration.
>
> Basically, the way it's setup now, if I want to say use Python Requests, I
> have to create a cookie jar, auth with one request, and then keep the state
> in the request.
>
> What would be nice is using basic auth instead of forms auth. Then I can
> include the auth credentials with the request, allowing for single request
> API calls.  This will also play out as we use the API more for
> administrative tasks (updating/creating storage plugins etc).
>
> I don't mind keeping the forms based auth if no auth is provided (perhaps a
> redirect to the login form) to keep it looking nice for Web UI users, but
> if basic auth is supplied to allow that to be used instead of the forms
> auth?
>
> Basically, if there is a reason for not doing this, I wanted to test the
> waters here, if no reason, I'll open a JIRA. I think it would simplify
> programatic access down the road, and make the Rest API easier to program
> to.
>
> John
>