On Thu, 12 Nov 2009 09:12:56 -0600 Jonathan Ellis <[email protected]> wrote:
JE> 2009/11/12 Ted Zlatanov <[email protected]>: >> On Wed, 11 Nov 2009 16:14:09 -0800 Anthony Molinaro >> <[email protected]> wrote: >> AM> How will authentication work with non-java clients? I don't think thrift AM> itself has authentication built in, and it sounds like a java library is AM> being proposed for the guts. Will it still be possible to connect from AM> a non-java client or will the thrift interface be deprecated? >> >> The client will login with a Map<String,String> of login tokens and get >> an auth token (probably a String containing a UUID) back. The token >> will be valid for the duration of the client connection and will grant >> access to a single keyspace. Effectively, the token replaces the old >> Keyspace argument in all Thrift API calls. JE> I'd really prefer to just keep that around in a threadlocal. There's JE> no reason for a client to continue passing a token w/ each call that JE> the server already knows. OK. >> I am thinking of allowing dual operation where if you pass a keyspace >> name without login, it works on servers that don't have authentication >> enabled. JE> The default should definitely be, "don't break people who don't need JE> the new feature more than necessary." So the default should be JE> "accept any client to any keyspace." Hmm, I thought we were going to limit access to a single keyspace upon login. You want to keep allowing multiple keyspaces? That would leave the existing API intact (only adding a login function) but requires an extra authorization check every time a keyspace is given. Do we expire authorizations after a certain time? Ted
