[
https://issues.apache.org/jira/browse/AURORA-1290?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Sweeney updated AURORA-1290:
----------------------------------
Description:
Right now you have to type some pretty verbose stuff to setup security.
{noformat}
-shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule,org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule,com.example.CustomRealmModule
{noformat}
This is ugly and not very refactor-safe. Consider adding mappings for
well-known names, with fallback to FQCNs.
Thus, the previous example could become
{noformat}
-shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ,com.example.CustomRealmModule
{noformat}
This points out one possible weird misconfiguration:
{noformat}
-shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ
-http_authentication_mechanism=BASIC
{noformat}
will leave the Kerberos code completely dark and pass the Basic auth
credentials to IniRealm. Thus, as a followup we should probably create separate
INI_AUTHN and INI_AUTHZ realms that will only participate in one phase.
was:
Right now you have to type some pretty verbose stuff to setup security.
{noformat}
-shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule,org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule,com.example.CustomRealmModule
{noformat}
This is ugly and not very refactor-safe. Consider adding mappings for
well-known names, with fallback to FQCNs.
Thus, the previous example could become
{noformat}
-shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHZ,com.example.CustomRealmModule
{noformat}
> Allow specifying a shorthand for "well-known" Module FQCNs
> ----------------------------------------------------------
>
> Key: AURORA-1290
> URL: https://issues.apache.org/jira/browse/AURORA-1290
> Project: Aurora
> Issue Type: Story
> Components: Scheduler
> Reporter: Kevin Sweeney
> Assignee: Bill Farner
>
> Right now you have to type some pretty verbose stuff to setup security.
> {noformat}
> -shiro_realm_modules=org.apache.aurora.scheduler.http.api.security.Kerberos5ShiroRealmModule,org.apache.aurora.scheduler.http.api.security.IniShiroRealmModule,com.example.CustomRealmModule
> {noformat}
> This is ugly and not very refactor-safe. Consider adding mappings for
> well-known names, with fallback to FQCNs.
> Thus, the previous example could become
> {noformat}
> -shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ,com.example.CustomRealmModule
> {noformat}
> This points out one possible weird misconfiguration:
> {noformat}
> -shiro_realm_modules=KERBEROS5_AUTHN,INI_AUTHNZ
> -http_authentication_mechanism=BASIC
> {noformat}
> will leave the Kerberos code completely dark and pass the Basic auth
> credentials to IniRealm. Thus, as a followup we should probably create
> separate INI_AUTHN and INI_AUTHZ realms that will only participate in one
> phase.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
