> On March 18, 2016, 8:55 a.m., Adam B wrote: > > src/authentication/http/basic_authenticator_factory.cpp, lines 87-91 > > <https://reviews.apache.org/r/44678/diff/7/?file=1304582#file1304582line87> > > > > Is it ok to specify a realm but no credentials? Does that just mean > > that nobody can authenticate? Is that still a valid authenticator? > > Greg Mann wrote: > We have a test that explicitly tests for this case > (`HttpAuthenticationTest.BasicWithoutCredentialsTest`), so it seems to be > valid? I could imagine it as a way for an operator to turn off all > authenticated endpoints. Not sure how relevant of a real-world use case this > is, but I was following the lead of the existing tests. Perhaps this was > discussed in the previous HTTP authentication reviews; I'll have a look.
I browsed through the HTTP authentication reviews (including the one where the `BasicWithoutCredentialsTest` test is introduced, https://reviews.apache.org/r/38950/), and didn't find any discussion of this point. - Greg ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/44678/#review124151 ----------------------------------------------------------- On March 18, 2016, 5:28 p.m., Greg Mann wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/44678/ > ----------------------------------------------------------- > > (Updated March 18, 2016, 5:28 p.m.) > > > Review request for mesos, Adam B, Alexander Rojas, Joerg Schad, and Till > Toenshoff. > > > Bugs: MESOS-4850 > https://issues.apache.org/jira/browse/MESOS-4850 > > > Repository: mesos > > > Description > ------- > > Modified basic HTTP authenticator creator to accept realm. > > To accommodate different authentication realms for the master and agent, the > default basic HTTP authenticator needs to accept its authentication realm as > a parameter. This patch adds this parameter and modifies the HTTP > authentication tests to validate it appropriately. A new test was also added: > `HttpAuthenticationTest.BasicWithoutRealm`. > > > Diffs > ----- > > include/mesos/authentication/http/basic_authenticator_factory.hpp > c11bb47c8e02f2e8645cf387d18eb64d1c8cb604 > src/authentication/http/basic_authenticator_factory.cpp > 62f851685db3b42c52bbcb7cff3e4f4703004ed7 > src/examples/test_http_authenticator_module.cpp > 459b7046bd76d3043d2484a2dd30c10d7deaedd4 > src/master/master.cpp e6290ea686ccf17813d6faeaf2f2012f79cf3b7f > src/tests/http_authentication_tests.cpp > cf2bb762272fa38e04e5c26aef2858300bbd0459 > > Diff: https://reviews.apache.org/r/44678/diff/ > > > Testing > ------- > > HTTP authentication tests were updated to pass the authentication realm to > the basic HTTP authenticator, and to adhere to the new credentials format in > the module parameters. A new test was also added: > `HttpAuthenticationTest.BasicWithoutRealm` > > `make check` was used to test on both OSX and CentOS 7. > > > Thanks, > > Greg Mann > >
