You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Alexander Rojas (JIRA)" <ji...@apache.org> on 2017/04/28 11:35:04 UTC

[jira] [Comment Edited] (MESOS-7247) HTTP Authenticator modules should be able to redirect users

    [ https://issues.apache.org/jira/browse/MESOS-7247?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15988681#comment-15988681 ] 

Alexander Rojas edited comment on MESOS-7247 at 4/28/17 11:34 AM:
------------------------------------------------------------------

The reason the authenticator is not allowed to return any kind of response, is that if it could, anyone could write an authorizer to spoof messages, partially or completely, addressed to mesos. I personally am not even very fond that the authorizer is able to read the whole message, and I would have preferred that it only had access to the headers.

At the same time, I don't think you are interested in returned all kinds of returned messages, so adding the option to return a 3XX message should be enough.


was (Author: arojas):
The reason the authenticator is not allowed to return any kind of response, is that if it could, anyone could write an authorizer to spoof messages, partially or completely, addressed to mesos. I personally am not even very fond that the authorizer is able to read the whole message, and I would have preferred that it only had access to the headers.

At the same time, I don't think you are interested in returned all kinds of returned messages, so adding the option to return a 3XX message should be enoug.

> HTTP Authenticator modules should be able to redirect users
> -----------------------------------------------------------
>
>                 Key: MESOS-7247
>                 URL: https://issues.apache.org/jira/browse/MESOS-7247
>             Project: Mesos
>          Issue Type: Improvement
>          Components: agent, libprocess, master
>            Reporter: Silas Snider
>            Assignee: Silas Snider
>              Labels: mesosphere
>
> RIght now, Autheticator modules can only respond with an Unauthorized HTTP status code if they need to get auth information from the client. This works for Basic auth, but not for authentication types like oauth, which expect the server to redirect the client to the right authorization provider URL.
> We should change AuthenticationResult to allow arbitrary http responses to allow for more flexibility here.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)