[jira] [Commented] (ACCUMULO-1929) Current auth/auth/perm API doesn't well support multiple authentication domains

Tue, 26 Nov 2013 13:40:39 -0800 

    [ 
https://issues.apache.org/jira/browse/ACCUMULO-1929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13833102#comment-13833102
 ] 

John Vines commented on ACCUMULO-1929:
--------------------------------------

I don't see how this is a subclass of that. Accumulo-1300 deals with multiple 
authentication systems, which could be handled with a single 
multi-authenticator that fits into the currently pluggable scheme. This ticket 
is requesting additional token information bet passed to the authorizor and 
permission handler interfaces, which is a significant limitation on those 
interfaces which makes me wonder if that's something we want to address in 
1.6.0.

> Current auth/auth/perm API doesn't well support multiple authentication 
> domains
> -------------------------------------------------------------------------------
>
>                 Key: ACCUMULO-1929
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1929
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Michael Allen
>            Assignee: Christopher Tubbs
>
> The current {{Authenticator}} / {{Authorizor}} / {{PermissionHandler}} API 
> doesn't provide a good method to support multiple authentication domains.  
> While the {{Authenticator}} object accepts abstract {{AuthenticationToken}} 
> objects which can be used to point a request towards a particular domain (by 
> including domain-specific knowledge in the token subclass), the 
> {{Authorizor}} and {{PermissionHandler}} objects share no such abstract 
> class.  A call like {{Authorizor.getCachedUserAuthorization(String user)}} 
> can't tell if the user in question is the user for domain 1, 2, 3, and so on, 
> without having the rest of the system play some crazy tricks to encode that 
> string in some unnatural way.
> One simple-ish solution is pass the {{AuthenticationToken}} object on to more 
> than one call in the  {{Authenticator}} / {{Authorizor}} / 
> {{PermissionHandler}} system.  That way, its domain knowledge can travel 
> through to the other parts and be used to route requests accordingly.  



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to