mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anand Mazumdar <mazumdar.an...@gmail.com>
Subject Re: Review Request 46211: Added flags for authenticating HTTP frameworks to master.
Date Fri, 15 Apr 2016 16:39:50 GMT


> On April 15, 2016, 12:42 a.m., Vinod Kone wrote:
> > src/master/flags.cpp, line 482
> > <https://reviews.apache.org/r/46211/diff/1/?file=1344538#file1344538line482>
> >
> >     do we need a default here? we needed a default for `--http_authenticators` for
backwards compatibility. since there is no backwards compatibility concern here, i think we
should be ok with no default? having a default and not loading is a bit weird IMO.
> >     
> >     remove the default and mention in the description  that this flag is required
iff `--authenticate_http_frameworks` is set.

FWIW, I do like the idea of having the default authenticator be `basic` i.e. have a default
value. It becomes easier to get started with using AuthN. Otherwise, they have to first search
around for the module JSON string documentation, populate the fields etc. to set up the module
correctly. Even, we need to do it to wire up our test driver. I wonder if it’s worth the
hassle for operators/framework developers to go through this extra step.

We can explicitly include in the documentation that the module (including default) is only
loaded when `--authenticate_http_frameworks` is set. 

I updated the review diff based on the above proposal. Let me know what do you think?


> On April 15, 2016, 12:42 a.m., Vinod Kone wrote:
> > src/master/constants.hpp, line 132
> > <https://reviews.apache.org/r/46211/diff/1/?file=1344536#file1344536line132>
> >
> >     If and when we add AuthN support for agent <-> executor, what is that
realm going to be? 'mesos-http-framework' or 'mesos-http-executor'? I guess it has to the
latter because we bring up both master and agent in the same OS process in tests?
> >     
> >     so should this be called mesos-http-scheduler instead? it's kinda unfortunate
that we sometimes equate framework with scheduler and sometimes with framework and executor.

Sounds good. Also, I don't like the idea of having the protocol name embedded in the realm.
How about just: "mesos-scheduler"?


- Anand


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/46211/#review129044
-----------------------------------------------------------


On April 15, 2016, 4:39 p.m., Anand Mazumdar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/46211/
> -----------------------------------------------------------
> 
> (Updated April 15, 2016, 4:39 p.m.)
> 
> 
> Review request for mesos and Vinod Kone.
> 
> 
> Bugs: MESOS-3923
>     https://issues.apache.org/jira/browse/MESOS-3923
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This change introduces two new flags `authenticate_http_frameworks`
> and `http_framework_authenticators` to the master. This allows us
> to selectively turn on/off framework authentication and decouple
> them from authentication for operator endpoints.
> 
> 
> Diffs
> -----
> 
>   src/master/constants.hpp 7c7cc25fcc897dedb28001fbb944d2e50eca4713 
>   src/master/flags.hpp 83bb9088e595b393d610cc65479cb6a35fb31842 
>   src/master/flags.cpp e522499586b731d522180f171731a9dd38b8344c 
>   src/master/master.cpp 781402c04fded159183e1ca28894e48355200f0c 
> 
> Diff: https://reviews.apache.org/r/46211/diff/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Anand Mazumdar
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message