> On March 18, 2016, 8:55 a.m., Adam B wrote:
> > src/authentication/http/basic_authenticator_factory.cpp, lines 87-91
> > <https://reviews.apache.org/r/44678/diff/7/?file=1304582#file1304582line87>
> >
> >     Is it ok to specify a realm but no credentials? Does that just mean 
> > that nobody can authenticate? Is that still a valid authenticator?
> 
> Greg Mann wrote:
>     We have a test that explicitly tests for this case 
> (`HttpAuthenticationTest.BasicWithoutCredentialsTest`), so it seems to be 
> valid? I could imagine it as a way for an operator to turn off all 
> authenticated endpoints. Not sure how relevant of a real-world use case this 
> is, but I was following the lead of the existing tests. Perhaps this was 
> discussed in the previous HTTP authentication reviews; I'll have a look.

I browsed through the HTTP authentication reviews (including the one where the 
`BasicWithoutCredentialsTest` test is introduced, 
https://reviews.apache.org/r/38950/), and didn't find any discussion of this 
point.


- Greg


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/44678/#review124151
-----------------------------------------------------------


On March 18, 2016, 5:28 p.m., Greg Mann wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/44678/
> -----------------------------------------------------------
> 
> (Updated March 18, 2016, 5:28 p.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, Joerg Schad, and Till 
> Toenshoff.
> 
> 
> Bugs: MESOS-4850
>     https://issues.apache.org/jira/browse/MESOS-4850
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Modified basic HTTP authenticator creator to accept realm.
> 
> To accommodate different authentication realms for the master and agent, the 
> default basic HTTP authenticator needs to accept its authentication realm as 
> a parameter. This patch adds this parameter and modifies the HTTP 
> authentication tests to validate it appropriately. A new test was also added: 
> `HttpAuthenticationTest.BasicWithoutRealm`.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authentication/http/basic_authenticator_factory.hpp 
> c11bb47c8e02f2e8645cf387d18eb64d1c8cb604 
>   src/authentication/http/basic_authenticator_factory.cpp 
> 62f851685db3b42c52bbcb7cff3e4f4703004ed7 
>   src/examples/test_http_authenticator_module.cpp 
> 459b7046bd76d3043d2484a2dd30c10d7deaedd4 
>   src/master/master.cpp e6290ea686ccf17813d6faeaf2f2012f79cf3b7f 
>   src/tests/http_authentication_tests.cpp 
> cf2bb762272fa38e04e5c26aef2858300bbd0459 
> 
> Diff: https://reviews.apache.org/r/44678/diff/
> 
> 
> Testing
> -------
> 
> HTTP authentication tests were updated to pass the authentication realm to 
> the basic HTTP authenticator, and to adhere to the new credentials format in 
> the module parameters. A new test was also added: 
> `HttpAuthenticationTest.BasicWithoutRealm`
> 
> `make check` was used to test on both OSX and CentOS 7.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>

Reply via email to