We want t On Mon, Aug 25, 2014 at 10:40 AM, Vinod Kone <vinodk...@gmail.com> wrote: > Hey Bhuvan, > > The "ShutdownFramework" ACL is an example of authN/authZ of HTTP endpoint > ("/shutdown") from a user perspective. Depending on what HTTP endpoints you > are planning to auth we could conceivably add more ACLs or add a generic > HTTP endpoint ACL. Of course this still doesn't give you sessions, caching, > or encryption.
Vinod, we want to authenticate all web requests, all read-only. Irrespective of the link/tabs we click {/slaves, /frameworks, /offers}, server always return this json /master/state.json. The angularjs does the filtering, based on the user action. Based on what you say, looks like there are more HTTP endpoints (rw) exposed to slaves and frameworks, like /shutdown. We don't want to implement auth for these endpoints, atm. That said, i think, we should authenticate /master/state.json only. Can I assume, this can be implemented in Master::Http::state method, using process::http::Request and process::http::Response? Or, does slave/framework use /master/state.json endpoint? Any changes to this method will not affect protobuf message exchange between master and slave/framework, I think. Correct me if i'm wrong. > On Fri, Aug 22, 2014 at 5:36 PM, Bhuvan Arumugam <bhu...@apache.org> wrote: > >> Hello, >> >> We use auth/authz implementation for frameworks and slaves. They are >> neat! This thread is about auth for web ui, between master and user. >> >> We are implementing authentication for master web ui (port: 5050). The >> master seem to serve both user requests and protobuf messages from >> slave & frameworks on same port. Right? We want to authenticate user >> requests only. Is there a way to differentiate these messages? >> >> Based on how these messages can be differentiated, we are thinking to >> run mesos master behind a proxy, apache or apache traffic server, >> primarily for 2 reasons: >> 1. authentication. The auth could be implemented through apache >> module or ATS plugin. >> 2. security. serve user requests through https. >> >> If we use ATS, it may also solve caching problem; but we aren't >> solving this problem right now. >> >> Making changes to mesos to address these concern doesn't look neat. >> Mesos seem to return complete json blob and all magic is done at the >> client side, in angularjs. Mesos master isn't a full fletched http >> server. It's not meant to keep track of user session; dealing with >> http cookies/headers/redirection are non-trivial. >> >> Anyone running mesos master behind proxy, or solved same problem >> differently? >> >> -- >> Regards, >> Bhuvan Arumugam >> www.livecipher.com >> -- Regards, Bhuvan Arumugam www.livecipher.com