[jira] [Commented] (MESOS-2379) Disabled master authentication causes authentication retries in the scheduler.

Fri, 08 Mar 2019 03:10:22 -0800 


    [ 
https://issues.apache.org/jira/browse/MESOS-2379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16787793#comment-16787793
 ] 

Alexander Rukletsov commented on MESOS-2379:
--------------------------------------------

B. seems to be implemented now: 
https://github.com/apache/mesos/blob/996862828ca9b7675e40b495fe24d95615bb832b/src/sched/sched.cpp#L487-L505

C. is questionable: for scheduler library to understand how to recover from 
{{AuthenticationErrorMessage}}, we should augment 
{{AuthenticationErrorMessage}} with a hint what kind of error has happened (we 
already do this in the error string), think {{Reason}} enum. 

On the other side, we might not want to mask such errors and make sure an 
operator is engaged: what if the intention was to enable authentication (and 
this is why scheduler tries it), but the master was misconfigured?

> Disabled master authentication causes authentication retries in the 
> scheduler. 
> -------------------------------------------------------------------------------
>
>                 Key: MESOS-2379
>                 URL: https://issues.apache.org/jira/browse/MESOS-2379
>             Project: Mesos
>          Issue Type: Bug
>          Components: security
>            Reporter: Till Toenshoff
>            Priority: Major
>              Labels: authentication, tech-debt
>
> The CRAM-MD5 authenticator relies upon shared credentials. Not supplying such 
> credentials while starting up a master effectively disables any 
> authentication.
> A framework (or slave) may still attempt to authenticate which is answered by 
> an {{AuthenticationErrorMessage}} by the master. That in turn will cause the 
> authenticatee to fail its {{authenticate}} promise, which in turn will cause 
> the current framework driver implementation to infinitely (and unthrottled) 
> retry authentication.
> See: https://github.com/apache/mesos/blob/master/src/sched/sched.cpp#L372
> {noformat}
>     if (reauthenticate || !future.isReady()) {
>       LOG(INFO)
>         << "Failed to authenticate with master " << master.get() << ": "
>         << (reauthenticate ? "master changed" :
>            (future.isFailed() ? future.failure() : "future discarded"));
>       authenticating = None();
>       reauthenticate = false;
>       // TODO(vinod): Add a limit on number of retries.
>       dispatch(self(), &Self::authenticate); // Retry.
>       return;
>     }
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to