> On June 24, 2014, 9:58 a.m., Adam B wrote:
> > Not sure I like the combined JSON format, rather than multiple files with 
> > plain-text formatting. I'm just thinking what if somebody wants 
> > authentication for registration/http but not the other, or wants 
> > principal/secret auth for one, but principal-only (implicit token, a la 
> > kerberos/OAuth) for the other.
> > I guess 'secret' is optional, so you could still combine them and just 
> > ignore the 'secret' sometimes, but then we'll need another differentiator 
> > to specify what kind of authentication(s) to do.

The plan was to ultimately get away from plain-text formatting. While simpler, 
it's very implicit, hence the use of JSON to explicitly capture the structure.

I agree that we'll need another differentiator for something like Keberos. The 
plan was to add more stuff to Credential, for example, one idea is to add an 
'optional bool kerberos' which if set to true assumes that there is an implicit 
token that should be looked up.


> On June 24, 2014, 9:58 a.m., Adam B wrote:
> > include/mesos/mesos.proto, line 671
> > <https://reviews.apache.org/r/22222/diff/3/?file=614271#file614271line671>
> >
> >     "registration"? Since these credentials are currently used by the 
> > slave/framework to allow registration with the master?

SGTM. The other suggestion was to call them 'sasl', since these are the 
credentials that we're giving to the SASL Authenticator.


> On June 24, 2014, 9:58 a.m., Adam B wrote:
> > src/credentials/credentials.hpp, lines 56-57
> > <https://reviews.apache.org/r/22222/diff/3/?file=614273#file614273line56>
> >
> >     So now credentials should be stored in JSON format, with entries for 
> > identification/registration, http, and whatever else comes along? This 
> > could get messy quick. How many more credentials types do we expect?
> >     What if somebody wants to use kerberos for registration, but flatfile 
> > for http? Or OAuth for http and flatfile for registration?

As mentioned above, I don't think we should use flat files. But mixing and 
matching Kerberos vs explicit secret is likely a valid use case. Do you have a 
suggestion for storing all these credentials? Just like we're sticking all the 
ACLs in a single JSON, the idea was to do the same here. But suggestions are 
welcome!


> On June 24, 2014, 9:58 a.m., Adam B wrote:
> > src/slave/flags.hpp, lines 252-255
> > <https://reviews.apache.org/r/22222/diff/3/?file=614278#file614278line252>
> >
> >     So verbose.

But so explicit!


- Benjamin


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/22222/#review46508
-----------------------------------------------------------


On June 20, 2014, 6:08 p.m., Isabel Jimenez wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/22222/
> -----------------------------------------------------------
> 
> (Updated June 20, 2014, 6:08 p.m.)
> 
> 
> Review request for mesos, Benjamin Hindman, Dominic Hamon, and Till Toenshoff.
> 
> 
> Bugs: MESOS-1391
>     https://issues.apache.org/jira/browse/MESOS-1391
> 
> 
> Repository: mesos-git
> 
> 
> Description
> -------
> 
> After Ben's comments, regroup of all types of authentication in one common 
> definition, this is a draft for this Issue, here are some questions:
> 
> - Do I replace credentials flag completely or if this slight duplication will 
> suffice for now ?
> - If I don't replace it, for now as it is in this patch, the flag is useless, 
> I should give it to the sasl/authenticator but I would really appreciate some 
> comments for that part.
> 
> 
> Diffs
> -----
> 
>   include/mesos/mesos.proto 2f6be05 
>   src/Makefile.am b1b7d2d 
>   src/credentials/credentials.hpp 98b9088 
>   src/master/flags.hpp 47bb0dc 
>   src/master/master.hpp b56e9f4 
>   src/master/master.cpp dcf28ad 
>   src/sasl/authenticator.hpp 365db5f 
>   src/slave/flags.hpp 3b8ba08 
>   src/slave/slave.cpp ed3483f 
>   src/tests/authentication_tests.cpp 5cf2da4 
>   src/tests/credentials_tests.cpp PRE-CREATION 
>   src/tests/mesos.cpp 1037420 
> 
> Diff: https://reviews.apache.org/r/22222/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Isabel Jimenez
> 
>

Reply via email to