> On Nov. 6, 2014, 6:30 a.m., Adam B wrote: > > src/slave/slave.cpp, lines 620-621 > > <https://reviews.apache.org/r/27494/diff/3/?file=750914#file750914line620> > > > > This feels a little awkward. Now, we try to authenticate if > > --authenticatee is set (to non-default) or --credential is set; otherwise > > register directly? > > Maybe it's time to have an explicit --authenticate flag, so > > --credential isn't both a path to a credential file and a switch to enable > > authentication. Thoughts? > > > > Or maybe just check to see if there's a viable authenticatee, and if > > not, try to register without authenticating. The master/authenticator would > > reject an unauthenticated slave/framework if the master has enabled authn, > > so the authenticatee doesn't have to be so strict about exiting instead of > > registering without authentication. > > Till Toenshoff wrote: > Entirely true as written Adam. I had the same feelings when implementing > it this way but hesitated to revise the existing logic too much. My first > hunch is to follow your second option - but let's see what others say about > that. > > I will put up a comment on > https://issues.apache.org/jira/browse/MESOS-2040 to open up a quick > discussion, inviting everyone for input.
Now using credential as an authentication trigger as described in MESOS-2040. - Till ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/27494/#review60125 ----------------------------------------------------------- On Nov. 9, 2014, 11:16 p.m., Till Toenshoff wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/27494/ > ----------------------------------------------------------- > > (Updated Nov. 9, 2014, 11:16 p.m.) > > > Review request for mesos, Adam B and Vinod Kone. > > > Bugs: MESOS-2040 > https://issues.apache.org/jira/browse/MESOS-2040 > > > Repository: mesos-git > > > Description > ------- > > Also fixes messages.proto to use a raw bytestream instead of a string for > AuthenticationStartMessage as non CRAM-MD5 authentication may transmit binary > data. > Note that the change of AuthenticationStartMessage does basically have no > impact on C++ based proto code other than the prevention of a warning due to > non-UTF8 characters being encoded. That does in fact occur when using non > CRAM-MD5 based SASL authentication mechanisms. > > Note that this patch covers modularized slave authentication only. Framework > authentication currently is currently covered by the default (built-in) > implementation. There will be a subsequent patch for modularized framework > authentication. > > > Diffs > ----- > > src/messages/messages.proto de0e2a2 > src/sched/sched.cpp 8ca0526 > src/scheduler/scheduler.cpp c74187c > src/slave/constants.hpp 701dd89 > src/slave/constants.cpp d6ad78c > src/slave/flags.hpp efbd35d > src/slave/slave.hpp 72bbec9 > src/slave/slave.cpp 81e0c4b > > Diff: https://reviews.apache.org/r/27494/diff/ > > > Testing > ------- > > make check > > NOTE all three CRAM-MD5 authenticatee module related RRs need to get applied > before running make check. > > > Thanks, > > Till Toenshoff > >
