You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Alexander Rojas (JIRA)" <ji...@apache.org> on 2017/05/22 11:14:04 UTC

[jira] [Created] (MESOS-7530) HTTP authenticators modules never get the realm they are registered for

Alexander Rojas created MESOS-7530:
--------------------------------------

             Summary: HTTP authenticators modules never get the realm they are registered for
                 Key: MESOS-7530
                 URL: https://issues.apache.org/jira/browse/MESOS-7530
             Project: Mesos
          Issue Type: Bug
          Components: modules, security
    Affects Versions: 1.3.0
            Reporter: Alexander Rojas


When someone creates a module to provide HTTP Authenticator, only in the master it can be register for one of three realms:

* {{READONLY_HTTP_AUTHENTICATION_REALM}} 
* {{READWRITE_HTTP_AUTHENTICATION_REALM}}
* {{DEFAULT_HTTP_FRAMEWORK_AUTHENTICATION_REALM}}

These realms are passed to the HTTP basic authenticator when it is constructed:

{code}
Result<process::http::authentication::Authenticator*> createBasicAuthenticator(
    const string& realm,
    const string& authenticatorName,
    const Option<Credentials>& credentials)
{
  if (credentials.isNone()) {
    return Error(
        "No credentials provided for the default '" +
        string(internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) +
        "' HTTP authenticator for realm '" + realm + "'");
  }

  LOG(INFO) << "Creating default '"
            << internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR
            << "' HTTP authenticator for realm '" << realm << "'";

  return BasicAuthenticatorFactory::create(realm, credentials.get());
}
{code}

However modules don't get to configure their configured realm at construction and the API doesn't allow to change that afterwards:

{code}
Result<process::http::authentication::Authenticator*> createCustomAuthenticator(
    const string& realm,
    const string& authenticatorName)
{
  if (!modules::ModuleManager::contains<
        process::http::authentication::Authenticator>(authenticatorName)) {
    return Error(
        "HTTP authenticator '" + authenticatorName + "' not found. "
        "Check the spelling (compare to '" +
        string(internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) +
        "') or verify that the authenticator was loaded "
        "successfully (see --modules)");
  }

  LOG(INFO) << "Creating '" << authenticatorName << "' HTTP authenticator "
            << "for realm '" << realm << "'";

  return modules::ModuleManager::create<
      process::http::authentication::Authenticator>(authenticatorName);
}
{code}

Since the same authenticator module is used for all the realms, it is impossible to provide one authenticator per realm if using modules.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)