On Tue, Mar 15, 2016 at 6:10 PM, Gilbert Song <gilb...@mesosphere.io> wrote:
> @Kevin, thanks for writing it down in detail. It sounds good that a more
> concrete
> schema is designed to generally solve similar auth problem.
>
> Just have two potential issues inlined below:
>
> On Tue, Mar 15, 2016 at 5:39 PM, Kevin Klues <klue...@gmail.com> wrote:
>>
>> Yeah, option 2.
>>
>> I was trying to expand on Avinash's suggestion and make it a bit more
>> concrete in terms of what was being proposed. Needing to reload the
>> agent just to update the list of credentials it accepts seems
>> undesirable though.
>>
>> Maybe we could have a way to start the agent with a default config (by
>> iterating on the schema from my previous email), but allow newly
>> launched frameworks to somehow update the config on the fly through a
>
>
> Will it be too expensive to update all agents every time a new framework
> joins (handling consensus problem as well)?
Not sure, I haven't though about it in depth. What I was picturing
though was something exactly like what you describe for how the docker
containerizer currently solves this problem, except instead of using
docker/config.json directly, use a new credentials.json file which
follows a schema similar to what I proposed above.
>>
>> file in their sandbox that follows the same schema.
>
>
> Does that mean the file in sandbox should be exposed to each other?
>
>>
>> On Tue, Mar 15, 2016 at 5:25 PM, Jie Yu <yujie....@gmail.com> wrote:
>> > Kevin, are you suggesting option 2 and having a config file like the
>> > above?
>> >
>> > I think another downside of a per-agent config is that it's hard to
>> > maintain this. What if a new framework joins and has a new credential
>> > for
>> > the docker images. Do we need to restart the agent to reload the config?
>> >
>> > - Jie
>> >
>> > On Tue, Mar 15, 2016 at 1:25 PM, Kevin Klues <klue...@gmail.com> wrote:
>> >
>> >> Can we be a bit more concrete here and try to build up a schema for
>> >> this.
>> >> Maybe something like:
>> >>
>> >> {
>> >> [
>> >> {
>> >> "service" : "docker",
>> >> "registries" :
>> >> [
>> >> "uri" : "<uri>",
>> >> "default_credentials" :
>> >> {
>> >> "type" : "<type>",
>> >> "credential" :
>> >> {
>> >> // Custom based on type...
>> >> }
>> >> },
>> >> "image_credentials" :
>> >> [
>> >> {
>> >> "image_name" : "<image_name>",
>> >> "type" : "<type>",
>> >> "credential" :
>> >> {
>> >> // Custom based on type...
>> >> },
>> >> },
>> >> ...
>> >> ],
>> >> ...
>> >> ]
>> >> ...
>> >> },
>> >> ...
>> >> ]
>> >> }
>> >>
>> >>
>> >> On Tue, Mar 15, 2016 at 12:57 PM, Jie Yu <yujie....@gmail.com> wrote:
>> >> >>
>> >> >> Yeah I was thinking having the JSON as a dictionary with keys being
>> >> >> the
>> >> >> registry URI (appc/docker) and the values being credentials (which
>> >> >> will
>> >> be
>> >> >> a dictionary as well I guess).
>> >> >
>> >> >
>> >> > Using registry URI as the key is problematic. Think about the public
>> >> docker
>> >> > hub. Different frameworks might want to use different credentials to
>> >> access
>> >> > their docker images.
>> >> >
>> >> > - Jie
>> >> >
>> >> > On Tue, Mar 15, 2016 at 11:52 AM, Avinash Sridharan <
>> >> avin...@mesosphere.io
>> >> >
>> >> > wrote:
>> >> >
>> >> >> On Tue, Mar 15, 2016 at 11:43 AM, Vinod Kone <vinodk...@apache.org>
>> >> wrote:
>> >> >>
>> >> >> > moved core@ to *bcc*
>> >> >> >
>> >> >> > On Tue, Mar 15, 2016 at 11:18 AM, Avinash Sridharan <
>> >> >> avin...@mesosphere.io
>> >> >> > > wrote:
>> >> >> >
>> >> >> >> Why not follow option 2, but instead of passing the agent
>> >> credentials,
>> >> >> >> pass a location to the flag where credentials for the registry
>> >> >> >> can be
>> >> >> found
>> >> >> >> (in JSON)? The frameworks can set credentials (maybe registry
>> >> >> >> name or
>> >> >> URL
>> >> >> >> to the registry), and the credentials can be learnt from the JSON
>> >> >> config.
>> >> >> >>
>> >> >> >
>> >> >> > What if we need credentials for multiple-registries? Have a JSON
>> >> >> > with
>> >> one
>> >> >> > credential per registry I guess? But if possible, I would love to
>> >> solve
>> >> >> > this more generally as possible; as Gilbert mentioned, this is not
>> >> >> > a
>> >> >> > problem just for Docker images but any URIs that need AuthN.
>> >> >> >
>> >> >> Yeah I was thinking having the JSON as a dictionary with keys being
>> >> >> the
>> >> >> registry URI (appc/docker) and the values being credentials (which
>> >> >> will
>> >> be
>> >> >> a dictionary as well I guess).
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Avinash Sridharan, Mesosphere
>> >> >> +1 (323) 702 5245
>> >> >>
>> >>
>> >>
>> >>
>> >> --
>> >> ~Kevin
>> >>
>>
>>
>>
>> --
>> ~Kevin
>
>
--
~Kevin
