ningyougang commented on a change in pull request #2517: Support client 
certificate verify on server side
URL: 
https://github.com/apache/incubator-openwhisk/pull/2517#discussion_r131580933
 
 

 ##########
 File path: core/controller/src/main/scala/whisk/core/controller/RestAPIs.scala
 ##########
 @@ -160,7 +160,7 @@ protected[controller] class RestAPIVersion(apipath: 
String, apiversion: String)(
             sendCorsHeaders {
                 (pathEndOrSingleSlash & get) {
                     complete(OK, info)
-                } ~ authenticate(basicauth) {
+                } ~ (authenticate(basicauth) | authenticate(certificateAuth)) {
 
 Review comment:
   @markusthoemmes @rabbah 
   * That tightly couples the security of the Controller to having an nginx 
with that exact configuration running in front of it.
   answer: i have modified, if `ssl_verify_client` in nginx.conf is `off`, it 
will use auth key verification default, if `ssl_verify_client` in nginx.conf is 
`on`, it will use client certificate verification.
   I judge in Controller by passing the configuration to controller container's 
env.
   
   * Should use SPI approach to support this feature.
   I have readed the sourcecode for `SPI`, it is it is suitable for `Plugin 
configureale` which means the service can be replaced with another service by 
changing the applicaton.conf if one day found the original service is not well. 
 but regarding ` auth mechanisms here`, it is just `if/else logic` can solve 
this question.
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to