> On Feb. 25, 2017, 3:26 a.m., Greg Mann wrote: > > 3rdparty/libprocess/src/jwt_authenticator.cpp, lines 81-102 > > <https://reviews.apache.org/r/56753/diff/2/?file=1642463#file1642463line81> > > > > I was just discussing this claim with Vinod; let's leave it out of our > > implementation. We'd like to move toward a world where the new > > `AuthenticationContext` is first-class throughout the authN/authZ code, so > > that, for example, a scheduler could subscribe using a credential that > > resolves to an `AuthenticationContext` which contains claims, but no > > principal. In such a world, we would simply use the "sub" field as-is > > within the claims, with no need to translate it into the `principal` member.
Agreed. Though this has some consequences for the `SecretGenerator`, because it shouldn't map a `Principal::value` to a claim. Not sure yet, but if called with a `Principal` that has its `value` set, it should fail. But probably even better would be to change `SecretGenerator::generate` to accept a `map` of claims instead of `Principal`. - Jan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56753/#review166801 ----------------------------------------------------------- On Feb. 28, 2017, 2:36 p.m., Jan Schlicht wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/56753/ > ----------------------------------------------------------- > > (Updated Feb. 28, 2017, 2:36 p.m.) > > > Review request for mesos, Alexander Rojas and Greg Mann. > > > Bugs: MESOS-7001 > https://issues.apache.org/jira/browse/MESOS-7001 > > > Repository: mesos > > > Description > ------- > > This HTTP authenticator extracts a JWT from the requests' authorization > header using the 'Bearer' schema and validates it against a secret using > HMAC SHA256. The 'sub' claim of the JWT is the extracted principal, all > other claims will be additional labels of the 'AuthenticationContext'. > > > Diffs > ----- > > 3rdparty/libprocess/Makefile.am 75386184108214e67a58c328258ec204099d638c > 3rdparty/libprocess/include/process/authenticator.hpp > e5489c6cb4adc8a822e7dd4515542618c36136f9 > 3rdparty/libprocess/src/authenticator.cpp > cfedb6f7674e0f6690e77a633cdd1bd494c7d2c7 > 3rdparty/libprocess/src/jwt_authenticator.cpp PRE-CREATION > 3rdparty/libprocess/src/tests/http_tests.cpp > fb4da9aecff0370d97a15269c5d8fffb30e0478f > > Diff: https://reviews.apache.org/r/56753/diff/ > > > Testing > ------- > > make check > > > Thanks, > > Jan Schlicht > >
