Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-19 Thread Avinash Sridharan
This might be a bit far fetched, but does it make sense to associate these credential configurations with roles? Roles identify the capability of frameworks in obtaining resources so was wondering if we can use the same capability to distinguish (and control access) to credentials ? On Wed, Mar

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-18 Thread Kevin Klues
On Tue, Mar 15, 2016 at 6:10 PM, Gilbert Song wrote: > @Kevin, thanks for writing it down in detail. It sounds good that a more > concrete > schema is designed to generally solve similar auth problem. > > Just have two potential issues inlined below: > > On Tue, Mar 15,

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Gilbert Song
@Kevin, thanks for writing it down in detail. It sounds good that a more concrete schema is designed to generally solve similar auth problem. Just have two potential issues inlined below: On Tue, Mar 15, 2016 at 5:39 PM, Kevin Klues wrote: > Yeah, option 2. > > I was trying

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Vinod Kone
I actually think the way DockerContainerizer currently does it is reasonable and allows each container to talk to a potentially different registry using unique credentials. Given the multitude of AuthN schemes, it is probably better to leave the problem of fetching CommandInfo.URIs that need AuthN

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Kevin Klues
Yeah, option 2. I was trying to expand on Avinash's suggestion and make it a bit more concrete in terms of what was being proposed. Needing to reload the agent just to update the list of credentials it accepts seems undesirable though. Maybe we could have a way to start the agent with a default

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Jie Yu
Kevin, are you suggesting option 2 and having a config file like the above? I think another downside of a per-agent config is that it's hard to maintain this. What if a new framework joins and has a new credential for the docker images. Do we need to restart the agent to reload the config? - Jie

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Kevin Klues
Can we be a bit more concrete here and try to build up a schema for this. Maybe something like: { [ { "service" : "docker", "registries" : [ "uri" : "", "default_credentials" : { "type" : "", "credential" : {

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Jie Yu
> > Yeah I was thinking having the JSON as a dictionary with keys being the > registry URI (appc/docker) and the values being credentials (which will be > a dictionary as well I guess). Using registry URI as the key is problematic. Think about the public docker hub. Different frameworks might

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Avinash Sridharan
On Tue, Mar 15, 2016 at 11:43 AM, Vinod Kone wrote: > moved core@ to *bcc* > > On Tue, Mar 15, 2016 at 11:18 AM, Avinash Sridharan > wrote: > >> Why not follow option 2, but instead of passing the agent credentials, >> pass a location to the flag

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Jojy Varghese
Have we considered provisioning SSL certs and keys as a separate step (isolation maybe)? This could mean mounting “.ssl” volume inside the container for example. -Jojy > On Mar 15, 2016, at 11:18 AM, Avinash Sridharan wrote: > > Why not follow option 2, but instead of

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Vinod Kone
moved core@ to *bcc* On Tue, Mar 15, 2016 at 11:18 AM, Avinash Sridharan wrote: > Why not follow option 2, but instead of passing the agent credentials, > pass a location to the flag where credentials for the registry can be found > (in JSON)? The frameworks can set

Re: [DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Avinash Sridharan
Why not follow option 2, but instead of passing the agent credentials, pass a location to the flag where credentials for the registry can be found (in JSON)? The frameworks can set credentials (maybe registry name or URL to the registry), and the credentials can be learnt from the JSON config.

[DISCUSS] Fetching Docker Images Requiring User Credentials.

2016-03-15 Thread Gilbert Song
Hi folks, We want to raise a discussion here, seeking suggestions about passing credentials in a secure way. This relates to the JIRA MESOS-4938 , supporting docker private registry authentication in unified containerizer. In fact, this problem is