mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Mann <g...@mesosphere.io>
Subject Re: Review Request 56753: Implemented the JWT authenticator.
Date Wed, 08 Mar 2017 22:15:52 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56753/#review168352
-----------------------------------------------------------




3rdparty/libprocess/src/jwt_authenticator.cpp
Lines 75-97 (patched)
<https://reviews.apache.org/r/56753/#comment240561>

    Strictly speaking, each element of the vector passed to the `Unauthorized()` constructor
should be a separate challenge; in this case, each element is an attribute of a single challenge.
We should pass these as a single string, in case the constructor of `Unauthorized` changes
in the future to set multiple 'WWW-Authenticate' headers when there are multiple challenges.
I would recommend:
    ```
    result.unauthorized = Unauthorized({
        "Bearer realm=\"" + realm_ + "\", "
        "error=\"invalid_token\", "
        "error_description=\"Malformed 'Authorization' header\""});
    ```



3rdparty/libprocess/src/jwt_authenticator.cpp
Lines 109-112 (patched)
<https://reviews.apache.org/r/56753/#comment240570>

    It's possible here that the JWT has set an empty JSON object in the payload, and we have
no claims. Since the authenticator manager requires that either `Principal.value` or `Principal.claims`
be set, we should check before this loop that the claims are non-empty. The authenticator
manager would catch it, but we can provide a better error message (and an Unauthorized response)
if we do the check here.


- Greg Mann


On March 8, 2017, 2:24 p.m., Jan Schlicht wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56753/
> -----------------------------------------------------------
> 
> (Updated March 8, 2017, 2:24 p.m.)
> 
> 
> Review request for mesos, Alexander Rojas and Greg Mann.
> 
> 
> Bugs: MESOS-7001
>     https://issues.apache.org/jira/browse/MESOS-7001
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This HTTP authenticator extracts a JWT from the requests' authorization
> header using the 'Bearer' schema and validates it against a secret using
> HMAC SHA256. The 'sub' claim of the JWT is the extracted principal, all
> other claims will be additional labels of the 'Principal'.
> 
> 
> Diffs
> -----
> 
>   3rdparty/libprocess/Makefile.am 75386184108214e67a58c328258ec204099d638c 
>   3rdparty/libprocess/include/process/authenticator.hpp 00660f42cd4b707d955745bbfea5ffec73f690d6

>   3rdparty/libprocess/src/jwt_authenticator.cpp PRE-CREATION 
>   3rdparty/libprocess/src/tests/http_tests.cpp a0e23c2300f9f6b9d1143ee1eb115bbf24adf92e

> 
> 
> Diff: https://reviews.apache.org/r/56753/diff/6/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message