[
https://issues.apache.org/jira/browse/MESOS-5450?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15300851#comment-15300851
]
Till Toenshoff edited comment on MESOS-5450 at 5/25/16 9:23 PM:
----------------------------------------------------------------
Let's please adapt the above description and set straight that we do have a
pluggable authentication layer -- in fact, we actually have it for both, V0 and
V1 (HTTP) authentication.
The challenge is the "default" implementation (SASL CRAM-MD5) which we linked
into libmesos for historical/transitional reasons. This default implementation
creates a hard dependency of libmesos towards CyrusSASL as described within our
`src/Makefile.am`
https://github.com/apache/mesos/blob/8be9b5b5decd9ec2bcad547b1dff29b777cbc438/src/Makefile.am#L1867,
https://github.com/apache/mesos/blob/8be9b5b5decd9ec2bcad547b1dff29b777cbc438/src/Makefile.am#L1868
and
https://github.com/apache/mesos/blob/8be9b5b5decd9ec2bcad547b1dff29b777cbc438/src/Makefile.am#L678
I would also like to propose adding a long term solution, minimizing the
platform specifics within Mesos core.
How about this:
We remove the default implementation of the authentication which makes SASL a
hard dependency of libmesos right now. We ship the CRAM-MD5 authenticator
module with Mesos, allowing installation just like we already do with other
modules. We disable installing and building of the CRAM-MD5 authenticator for
Windows.
All of this only needs platform specific patches in our build env - not in the
code.
Then, instead of disabling authentication within Mesos for Windows as it is now
proposed in a short termed solution, we actually add a trivial, not perfectly
flexible but usable authentication module. Please mind that one great advantage
of using SASL is the mechanism negotiation. Lets call this new variant our
“test-authentication" for now. That one will get included in all builds of
Mesos, also within the Windows variant. For Windows, it would be the default
authentication, for other platforms we stick with CRAM-MD5 by default but still
offer the "test-authentication" as an option to be selected by the user when
starting up the runnables (master, agent and framework).
Such authenticator / authenticatee pair might also pose as a great example and
starting point for other developers, intending to add custom authentication
variants not supported by SASL (or simply without SASL for any reason).
was (Author: tillt):
Let's please adapt the above description and set straight that we do have a
pluggable authentication layer -- in fact, we actually have it for both, V0 and
V1 (HTTP) authentication.
I would also like to propose adding a long term solution, minimizing the
platform specifics within Mesos core.
How about this:
We remove the default implementation of the authentication which makes SASL a
hard dependency of libmesos right now. We ship the CRAM-MD5 authenticator
module with Mesos, allowing installation just like we already do with other
modules. We disable installing and building of the CRAM-MD5 authenticator for
Windows.
All of this only needs platform specific patches in our build env - not in the
code.
Then, instead of disabling authentication within Mesos for Windows as it is now
proposed in a short termed solution, we actually add a trivial, not perfectly
flexible but usable authentication module. Please mind that one great advantage
of using SASL is the mechanism negotiation. Lets call this new variant our
“test-authentication" for now. That one will get included in all builds of
Mesos, also within the Windows variant. For Windows, it would be the default
authentication, for other platforms we stick with CRAM-MD5 by default but still
offer the "test-authentication" as an option to be selected by the user when
starting up the runnables (master, agent and framework).
Such authenticator / authenticatee pair might also pose as a great example and
starting point for other developers, intending to add custom authentication
variants not supported by SASL (or simply without SASL for any reason).
> Make the SASL dependency optional.
> ----------------------------------
>
> Key: MESOS-5450
> URL: https://issues.apache.org/jira/browse/MESOS-5450
> Project: Mesos
> Issue Type: Bug
> Components: slave
> Reporter: Alex Clemmer
> Assignee: Alex Clemmer
> Labels: mesosphere
>
> Right now there is a hard dependency on SASL, which probably won't work well
> on Windows (at least) in the near future for our use cases.
> In the future, it would be nice to have a pluggable authentication layer.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
