You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mesos.apache.org by "Vinod Kone (JIRA)" <ji...@apache.org> on 2014/05/19 21:20:39 UTC

[jira] [Commented] (MESOS-1383) Expose the authenticated principal through Authenticator::authenticate() result

    [ https://issues.apache.org/jira/browse/MESOS-1383?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14002206#comment-14002206 ] 

Vinod Kone commented on MESOS-1383:
-----------------------------------

SGTM.

> Expose the authenticated principal through Authenticator::authenticate() result
> -------------------------------------------------------------------------------
>
>                 Key: MESOS-1383
>                 URL: https://issues.apache.org/jira/browse/MESOS-1383
>             Project: Mesos
>          Issue Type: Task
>            Reporter: Yan Xu
>            Assignee: Yan Xu
>
> Currently Authenticator doesn't tell Master about the principal of the Authenticatee it just successfully authenticated.
> To reliably capture the user name, we should save the username from a *successful* [CRAM-MD5 response|http://tools.ietf.org/html/draft-ietf-sasl-crammd5-10#section-2].
> The proposed API change:
> {{process::Future<bool> Authenticator::authenticate()}} -> {{process::Future<Option<string>> Authenticator::authenticate()}}
> Return value:
> - Upon successful authentication, the principal of the Authenticatee is returned (previously 'true').
> - None is returned if the authentication is unsuccessful due to incorrect credential (previous 'false')
> - A Failed future is returned for other failure cases same as before.
> During interaction with SASL the best way I've found to to expose the username is through the {{SASL_CB_CANON_USER}} callback.
> {noformat:title=SASL_CB_CANON_USER definition}
> SASL_CB_CANON_USER
> Calls an application-supplied user canonicalization function.
> SASL calls this function before doing anything with a username.
> {noformat}
> Inside this callback I can save the username the Authenticatee provides and then return the exact username as the canonicalized username. This is admittedly not the intended use of the callback but I can't find anything better and this doesn't seem to have any issue: if the authentication fails, this username is not returned to the caller of {{Authenticator::authenticate()}} (i.e. Master). 



--
This message was sent by Atlassian JIRA
(v6.2#6252)