RE: rotating secrets when authenticating framework

[Devendra Ayalasomayajula <de...@nvidia.com>]

Corrected the subject

From: Devendra Ayalasomayajula
Sent: Friday, October 20, 2017 2:40 PM
To: user@mesos.apache.org
Subject: rotting secrets when authenticating framework

Hi,

The framework I am experimenting with is using MesosSchedulerDriver and I am planning to pass Credential. But If the secret is updated how can the Credential that's passed to the driver be updated.
How to handle secrets with expiry ?

Thank You
Devendra
________________________________
This email message is for the sole use of the intended recipient(s) and may contain confidential information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
________________________________

Re: rotating secrets when authenticating framework

[Adam Bordelon <ad...@mesosphere.io>]

In the v0 API:
If the secret updates, you will need to reauthenticate with the new
credentials and reregister, perhaps triggered by knowing when the secret
will expire.
Changing the principal in FrameworkInfo will require you to register as a
new framework_id until https://issues.apache.org/jira/browse/MESOS-2842 is
resolved.
Note that the Mesos master only validates the v0 scheduler credentials on
authentication (i.e. on scheduler or master failover), so the scheduler
could continue to function for weeks after the secret "expires" as long as
the scheduler doesn't have to (reauthenticate and) reregister.

In the v1 scheduler API:
Every request must include the credential, so requests with an expired
credential will fail.

On Tue, Oct 24, 2017 at 4:00 PM, Benjamin Mahler <bm...@apache.org> wrote:

> +adam, alexander
>
> On Fri, Oct 20, 2017 at 2:54 PM, Devendra Ayalasomayajula <
> devendraa@nvidia.com> wrote:
>
>> Corrected the subject
>>
>>
>>
>> *From:* Devendra Ayalasomayajula
>> *Sent:* Friday, October 20, 2017 2:40 PM
>> *To:* user@mesos.apache.org
>> *Subject:* rotting secrets when authenticating framework
>>
>>
>>
>> Hi,
>>
>>
>>
>> The framework I am experimenting with is using MesosSchedulerDriver and I
>> am planning to pass Credential. But If the secret is updated how can the
>> Credential that’s passed to the driver be updated.
>>
>> How to handle secrets with expiry ?
>>
>>
>>
>> Thank You
>>
>> Devendra
>> ------------------------------
>>
>> This email message is for the sole use of the intended recipient(s) and
>> may contain confidential information.  Any unauthorized review, use,
>> disclosure or distribution is prohibited.  If you are not the intended
>> recipient, please contact the sender by reply email and destroy all copies
>> of the original message.
>> ------------------------------
>>
>
>

Re: rotating secrets when authenticating framework

[Benjamin Mahler <bm...@apache.org>]

+adam, alexander

On Fri, Oct 20, 2017 at 2:54 PM, Devendra Ayalasomayajula <
devendraa@nvidia.com> wrote:

> Corrected the subject
>
>
>
> *From:* Devendra Ayalasomayajula
> *Sent:* Friday, October 20, 2017 2:40 PM
> *To:* user@mesos.apache.org
> *Subject:* rotting secrets when authenticating framework
>
>
>
> Hi,
>
>
>
> The framework I am experimenting with is using MesosSchedulerDriver and I
> am planning to pass Credential. But If the secret is updated how can the
> Credential that’s passed to the driver be updated.
>
> How to handle secrets with expiry ?
>
>
>
> Thank You
>
> Devendra
> ------------------------------
>
> This email message is for the sole use of the intended recipient(s) and
> may contain confidential information.  Any unauthorized review, use,
> disclosure or distribution is prohibited.  If you are not the intended
> recipient, please contact the sender by reply email and destroy all copies
> of the original message.
> ------------------------------
>