> On April 1, 2015, 8:40 p.m., Kevin Sweeney wrote: > > src/main/python/apache/aurora/common/auth/auth_kerberos.py, line 33 > > <https://reviews.apache.org/r/32541/diff/2/?file=909513#file909513line33> > > > > An explanatory comment as to why we don't enable mutual authentication > > would be nice here, for example: > > > > ``` > > """ > > While SPNEGO supports mutual authentication of the response, it does > > not assert the validity of the response payload, only the identity of the > > server. Thus the scheduler will not set the WWW-Authenticate response > > header and the client will disable mutual authentication. In order to > > achieve communication with the scheduler subject to confidentiality and > > integrity constraints the client must connect to the scheduler API via > > HTTPS. Kerberos is thus only used to authenticate the client to the server. > > """ > > ```
Thanks, done. > On April 1, 2015, 8:40 p.m., Kevin Sweeney wrote: > > src/main/python/apache/aurora/common/auth/auth_module_manager.py, line 66 > > <https://reviews.apache.org/r/32541/diff/2/?file=909515#file909515line66> > > > > Transport layer suggests TCP to me - consider clarifying with "Thrift > > transport layer" Done. > On April 1, 2015, 8:40 p.m., Kevin Sweeney wrote: > > src/test/python/apache/aurora/client/api/test_scheduler_client.py, line 491 > > <https://reviews.apache.org/r/32541/diff/2/?file=909516#file909516line491> > > > > consider using a mock instance of AuthBase here and elsewhere in this > > file - future readers might be confused as this is not a legal input type Done. - Maxim ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/32541/#review78573 ----------------------------------------------------------- On April 2, 2015, 1:10 a.m., Maxim Khutornenko wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/32541/ > ----------------------------------------------------------- > > (Updated April 2, 2015, 1:10 a.m.) > > > Review request for Aurora, Kevin Sweeney and Brian Wickman. > > > Bugs: AURORA-813 > https://issues.apache.org/jira/browse/AURORA-813 > > > Repository: aurora > > > Description > ------- > > First take on client kerberos support. The idea is to repurpose the existing > auth_module system to support both legacy and kerberos during the deprecation > period. This way the 0.8.0 client will be able to talk to pre-0.8.0 scheduler > and use SessionKey-based authorization. Later (in 0.9.0), the payload() will > be removed along with SessionKey (AURORA-1229). That will let us get rid of > SchedulerProxy (or reduce it substantially). The auth_module might stay > though to support other auth plugins (e.g. requests-ntlm or > requests-oauthlib). > > TODO: integration e2e tests once scheduler side lands. > > > Diffs > ----- > > 3rdparty/python/requirements.txt 11a307cdb476ebcc25ab5c6b555bed29241ea988 > src/main/python/apache/aurora/client/api/__init__.py > a81329f6f947bbea4001c3a521c1923410a51eab > src/main/python/apache/aurora/client/api/scheduler_client.py > 95e553427492407743dcac31d70f392a7c1bbc02 > src/main/python/apache/aurora/client/cli/BUILD > c6b4e8a09d1315cf5defee2155a6e0c697892a30 > src/main/python/apache/aurora/client/cli/client.py > 24516d114db1743cdf600c542a27fcf5b68053a0 > src/main/python/apache/aurora/common/auth/BUILD > 966484627dab90e7606f1fc638cd0e159aee3317 > src/main/python/apache/aurora/common/auth/__init__.py > 3119fd63d3dfa28f93f219b23030059580fed098 > src/main/python/apache/aurora/common/auth/auth_module.py > 5f4116ef4cfbc407e0c50dc938870fb14e2299b4 > src/main/python/apache/aurora/common/auth/auth_module_manager.py > 73a8e5cd51edf694b971cd2c298ff406aff8c6d7 > src/main/python/apache/aurora/common/auth/kerberos.py PRE-CREATION > src/main/python/apache/aurora/common/transport.py > 395f8a94d9a27aad00166a17f2528a8c0833ffdd > src/test/python/apache/aurora/client/api/test_scheduler_client.py > 0a6194831c332a96eab62b869c4e05cfa9def058 > src/test/python/apache/aurora/common/test_transport.py > b78e0b3badfbbeecefff7b5954f3796cef4da9d8 > > Diff: https://reviews.apache.org/r/32541/diff/ > > > Testing > ------- > > ./pants test.pytest --no-fast src/test/python:all > ./src/test/sh/org/apache/aurora/e2e/test_end_to_end.sh > > > Thanks, > > Maxim Khutornenko > >
