You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Alexander Rojas (JIRA)" <ji...@apache.org> on 2017/05/22 11:14:04 UTC
[jira] [Created] (MESOS-7530) HTTP authenticators modules never get
the realm they are registered for
Alexander Rojas created MESOS-7530:
--------------------------------------
Summary: HTTP authenticators modules never get the realm they are registered for
Key: MESOS-7530
URL: https://issues.apache.org/jira/browse/MESOS-7530
Project: Mesos
Issue Type: Bug
Components: modules, security
Affects Versions: 1.3.0
Reporter: Alexander Rojas
When someone creates a module to provide HTTP Authenticator, only in the master it can be register for one of three realms:
* {{READONLY_HTTP_AUTHENTICATION_REALM}}
* {{READWRITE_HTTP_AUTHENTICATION_REALM}}
* {{DEFAULT_HTTP_FRAMEWORK_AUTHENTICATION_REALM}}
These realms are passed to the HTTP basic authenticator when it is constructed:
{code}
Result<process::http::authentication::Authenticator*> createBasicAuthenticator(
const string& realm,
const string& authenticatorName,
const Option<Credentials>& credentials)
{
if (credentials.isNone()) {
return Error(
"No credentials provided for the default '" +
string(internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) +
"' HTTP authenticator for realm '" + realm + "'");
}
LOG(INFO) << "Creating default '"
<< internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR
<< "' HTTP authenticator for realm '" << realm << "'";
return BasicAuthenticatorFactory::create(realm, credentials.get());
}
{code}
However modules don't get to configure their configured realm at construction and the API doesn't allow to change that afterwards:
{code}
Result<process::http::authentication::Authenticator*> createCustomAuthenticator(
const string& realm,
const string& authenticatorName)
{
if (!modules::ModuleManager::contains<
process::http::authentication::Authenticator>(authenticatorName)) {
return Error(
"HTTP authenticator '" + authenticatorName + "' not found. "
"Check the spelling (compare to '" +
string(internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) +
"') or verify that the authenticator was loaded "
"successfully (see --modules)");
}
LOG(INFO) << "Creating '" << authenticatorName << "' HTTP authenticator "
<< "for realm '" << realm << "'";
return modules::ModuleManager::create<
process::http::authentication::Authenticator>(authenticatorName);
}
{code}
Since the same authenticator module is used for all the realms, it is impossible to provide one authenticator per realm if using modules.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)