> On June 24, 2014, 2:58 a.m., Adam B wrote: > > Not sure I like the combined JSON format, rather than multiple files with > > plain-text formatting. I'm just thinking what if somebody wants > > authentication for registration/http but not the other, or wants > > principal/secret auth for one, but principal-only (implicit token, a la > > kerberos/OAuth) for the other. > > I guess 'secret' is optional, so you could still combine them and just > > ignore the 'secret' sometimes, but then we'll need another differentiator > > to specify what kind of authentication(s) to do. > > Benjamin Hindman wrote: > The plan was to ultimately get away from plain-text formatting. While > simpler, it's very implicit, hence the use of JSON to explicitly capture the > structure. > > I agree that we'll need another differentiator for something like > Keberos. The plan was to add more stuff to Credential, for example, one idea > is to add an 'optional bool kerberos' which if set to true assumes that there > is an implicit token that should be looked up.
Sounds reasonable to me. Just wanted to open up the discussion here and make sure we're not coding ourselves into a corner. The JSON format should be flexible enough to support multiple authentication types (even ones without explicit secrets), while being structured enough to explicitly capture the credential configurations better than plain-text. > On June 24, 2014, 2:58 a.m., Adam B wrote: > > include/mesos/mesos.proto, line 671 > > <https://reviews.apache.org/r/22222/diff/3/?file=614271#file614271line671> > > > > "registration"? Since these credentials are currently used by the > > slave/framework to allow registration with the master? > > Benjamin Hindman wrote: > SGTM. The other suggestion was to call them 'sasl', since these are the > credentials that we're giving to the SASL Authenticator. I think I prefer naming the credentials after their intended purpose (registration, http, zookeeper, etc.) rather than the authentication mechanism used, since sasl could potentially be used for multiple credential purposes, but a master/slave will only provide a single set of credentials for a particular purpose. - Adam ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/22222/#review46508 ----------------------------------------------------------- On June 20, 2014, 11:08 a.m., Isabel Jimenez wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/22222/ > ----------------------------------------------------------- > > (Updated June 20, 2014, 11:08 a.m.) > > > Review request for mesos, Benjamin Hindman, Dominic Hamon, and Till Toenshoff. > > > Bugs: MESOS-1391 > https://issues.apache.org/jira/browse/MESOS-1391 > > > Repository: mesos-git > > > Description > ------- > > After Ben's comments, regroup of all types of authentication in one common > definition, this is a draft for this Issue, here are some questions: > > - Do I replace credentials flag completely or if this slight duplication will > suffice for now ? > - If I don't replace it, for now as it is in this patch, the flag is useless, > I should give it to the sasl/authenticator but I would really appreciate some > comments for that part. > > > Diffs > ----- > > include/mesos/mesos.proto 2f6be05 > src/Makefile.am b1b7d2d > src/credentials/credentials.hpp 98b9088 > src/master/flags.hpp 47bb0dc > src/master/master.hpp b56e9f4 > src/master/master.cpp dcf28ad > src/sasl/authenticator.hpp 365db5f > src/slave/flags.hpp 3b8ba08 > src/slave/slave.cpp ed3483f > src/tests/authentication_tests.cpp 5cf2da4 > src/tests/credentials_tests.cpp PRE-CREATION > src/tests/mesos.cpp 1037420 > > Diff: https://reviews.apache.org/r/22222/diff/ > > > Testing > ------- > > > Thanks, > > Isabel Jimenez > >
