jon-wei commented on a change in pull request #6972: Support LDAP
authentication/authorization
URL: https://github.com/apache/incubator-druid/pull/6972#discussion_r271095934
##########
File path: docs/content/development/extensions-core/druid-basic-security.md
##########
@@ -155,6 +189,27 @@ Example request body:
}
```
+`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/config)`
+Return the authenticator current set of updatable configuration.
+
+`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/config)`
Review comment:
Hm, I feel like this feature could be a bit tricky to use right, and I'm not
sure its worth the added complexity in most cases.
If kept as a feature, I think users would need some guidance on how to do a
successful credential migration in the docs.
Some points I think the docs should address:
- To migrate the credentials without downtime, the user would need to set up
a temporary transition state where both the old and new credentials are valid
(otherwise the credential update itself wouldn't be accepted by the cluster)
- Before pushing the new credentials to the cluster, the user should ensure
that all of the configs on the cluster are updated to use the new credentials
(so that they don't fall back to the old set upon restarts)
- After pushing the credential update, the user would need to check that the
update was successfully propagated to all the cluster nodes (through the REST
APIs? This would need a way to get the current escalator credentials or verify
that they've changed in addition to the LDAP connection configs)
- To keep cluster config management simple, I think the in-metadata
credentials should be treated as a temporary thing to assist with migration and
not as a long-lived source of truth (which should be the config files). Adding
DELETE endpoints for the in-metadata credentials and having the docs guide the
user to delete that state after completing the migration would be good.
- I would move documentation for these config update APIs into a separate
"credentials migration" section with the info above.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@druid.apache.org
For additional commands, e-mail: commits-h...@druid.apache.org
