----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/32541/#review78573 -----------------------------------------------------------
Ship it! Looking good modulo comments below. Have you had a chance to run this build in the end-to-end test from https://reviews.apache.org/r/32559/? src/main/python/apache/aurora/client/cli/BUILD <https://reviews.apache.org/r/32541/#comment127470> How about "kaurora" src/main/python/apache/aurora/client/cli/client.py <https://reviews.apache.org/r/32541/#comment127445> nit: auth.auth_kerberos is pretty redundant - can rename the module to auth.kerberos src/main/python/apache/aurora/common/auth/auth_kerberos.py <https://reviews.apache.org/r/32541/#comment127473> An explanatory comment as to why we don't enable mutual authentication would be nice here, for example: ``` """ While SPNEGO supports mutual authentication of the response, it does not assert the validity of the response payload, only the identity of the server. Thus the scheduler will not set the WWW-Authenticate response header and the client will disable mutual authentication. In order to achieve communication with the scheduler subject to confidentiality and integrity constraints the client must connect to the scheduler API via HTTPS. Kerberos is thus only used to authenticate the client to the server. """ ``` src/main/python/apache/aurora/common/auth/auth_module_manager.py <https://reviews.apache.org/r/32541/#comment127472> Transport layer suggests TCP to me - consider clarifying with "Thrift transport layer" src/test/python/apache/aurora/client/api/test_scheduler_client.py <https://reviews.apache.org/r/32541/#comment127471> consider using a mock instance of AuthBase here and elsewhere in this file - future readers might be confused as this is not a legal input type - Kevin Sweeney On April 1, 2015, 12:53 p.m., Maxim Khutornenko wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/32541/ > ----------------------------------------------------------- > > (Updated April 1, 2015, 12:53 p.m.) > > > Review request for Aurora, Kevin Sweeney and Brian Wickman. > > > Bugs: AURORA-813 > https://issues.apache.org/jira/browse/AURORA-813 > > > Repository: aurora > > > Description > ------- > > First take on client kerberos support. The idea is to repurpose the existing > auth_module system to support both legacy and kerberos during the deprecation > period. This way the 0.8.0 client will be able to talk to pre-0.8.0 scheduler > and use SessionKey-based authorization. Later (in 0.9.0), the payload() will > be removed along with SessionKey (AURORA-1229). That will let us get rid of > SchedulerProxy (or reduce it substantially). The auth_module might stay > though to support other auth plugins (e.g. requests-ntlm or > requests-oauthlib). > > TODO: integration e2e tests once scheduler side lands. > > > Diffs > ----- > > 3rdparty/python/requirements.txt 11a307cdb476ebcc25ab5c6b555bed29241ea988 > src/main/python/apache/aurora/client/api/__init__.py > a81329f6f947bbea4001c3a521c1923410a51eab > src/main/python/apache/aurora/client/api/scheduler_client.py > 95e553427492407743dcac31d70f392a7c1bbc02 > src/main/python/apache/aurora/client/cli/BUILD > c6b4e8a09d1315cf5defee2155a6e0c697892a30 > src/main/python/apache/aurora/client/cli/client.py > 24516d114db1743cdf600c542a27fcf5b68053a0 > src/main/python/apache/aurora/common/auth/BUILD > 966484627dab90e7606f1fc638cd0e159aee3317 > src/main/python/apache/aurora/common/auth/__init__.py > 3119fd63d3dfa28f93f219b23030059580fed098 > src/main/python/apache/aurora/common/auth/auth_kerberos.py PRE-CREATION > src/main/python/apache/aurora/common/auth/auth_module.py > 5f4116ef4cfbc407e0c50dc938870fb14e2299b4 > src/main/python/apache/aurora/common/auth/auth_module_manager.py > 73a8e5cd51edf694b971cd2c298ff406aff8c6d7 > src/main/python/apache/aurora/common/transport.py > 395f8a94d9a27aad00166a17f2528a8c0833ffdd > src/test/python/apache/aurora/client/api/test_scheduler_client.py > 0a6194831c332a96eab62b869c4e05cfa9def058 > src/test/python/apache/aurora/common/test_transport.py > b78e0b3badfbbeecefff7b5954f3796cef4da9d8 > > Diff: https://reviews.apache.org/r/32541/diff/ > > > Testing > ------- > > ./pants test.pytest --no-fast src/test/python:all > ./src/test/sh/org/apache/aurora/e2e/test_end_to_end.sh > > > Thanks, > > Maxim Khutornenko > >