Re: Review Request 34566: Adding H2 management console.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review86718 --- Ship it! Master (ed4415c) is green with this patch. ./build-support/jenkins/build.sh I will refresh this build result if you post a review containing @ReviewBot retry - Aurora ReviewBot On June 4, 2015, 8:56 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated June 4, 2015, 8:56 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The H2 console servlet is put behind Shiro. Users are expected to have `h2_management_console` permission or be a member of admin role to access the console. Vagrant example JDBC URL: jdbc:h2:mem:aurora Diffs - src/main/java/org/apache/aurora/scheduler/http/H2ConsoleModule.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/http/JettyServerModule.java 16515f6ce4518e0d7eec27dfcde6fe036ee05d1d src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java 079ff5d2c30cc94bf4aef97cd4d791d480ebeab9 src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroIniParser.java 0163ba1a6df647a644948a42f772bd838c2146ef src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilter.java 28e6b98b39a073251bfae483575edd9635ae783a src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilter.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityIT.java 6743d06be828247b1c3a232aea145b0a0c492eca src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroAuthorizingParamInterceptorTest.java 33783c88b7c6c1a7343f3271523a7db39c73e4a1 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilterTest.java e335a439a6ccc301cf7c93e138c90660fbfdc6d0 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilterTest.java PRE-CREATION src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh 6e9e3b2a8d731e51d0d55d0a5075b6d2d51a02ac Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build ./src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
On June 4, 2015, 8:12 p.m., Kevin Sweeney wrote: src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java, line 37 https://reviews.apache.org/r/34566/diff/3/?file=979284#file979284line37 Use a MediaType constant here. Done. On June 4, 2015, 8:12 p.m., Kevin Sweeney wrote: src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java, line 128 https://reviews.apache.org/r/34566/diff/3/?file=979280#file979280line128 Either static import the above API_PATH or qualify H2_PATH, but please use a consistent style. Done. - Maxim --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review86710 --- On June 4, 2015, 7:31 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated June 4, 2015, 7:31 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The H2 console servlet is put behind Shiro. Users are expected to have `h2_management_console` permission or be a member of admin role to access the console. Vagrant example JDBC URL: jdbc:h2:mem:aurora Diffs - src/main/java/org/apache/aurora/scheduler/http/H2ConsoleModule.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/http/JettyServerModule.java 16515f6ce4518e0d7eec27dfcde6fe036ee05d1d src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java 079ff5d2c30cc94bf4aef97cd4d791d480ebeab9 src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroIniParser.java 0163ba1a6df647a644948a42f772bd838c2146ef src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilter.java 28e6b98b39a073251bfae483575edd9635ae783a src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilter.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityIT.java 6743d06be828247b1c3a232aea145b0a0c492eca src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroAuthorizingParamInterceptorTest.java 33783c88b7c6c1a7343f3271523a7db39c73e4a1 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilterTest.java e335a439a6ccc301cf7c93e138c90660fbfdc6d0 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilterTest.java PRE-CREATION src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh 6e9e3b2a8d731e51d0d55d0a5075b6d2d51a02ac Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build ./src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated June 4, 2015, 8:56 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Changes --- comment typo Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The H2 console servlet is put behind Shiro. Users are expected to have `h2_management_console` permission or be a member of admin role to access the console. Vagrant example JDBC URL: jdbc:h2:mem:aurora Diffs (updated) - src/main/java/org/apache/aurora/scheduler/http/H2ConsoleModule.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/http/JettyServerModule.java 16515f6ce4518e0d7eec27dfcde6fe036ee05d1d src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java 079ff5d2c30cc94bf4aef97cd4d791d480ebeab9 src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroIniParser.java 0163ba1a6df647a644948a42f772bd838c2146ef src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilter.java 28e6b98b39a073251bfae483575edd9635ae783a src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilter.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityIT.java 6743d06be828247b1c3a232aea145b0a0c492eca src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroAuthorizingParamInterceptorTest.java 33783c88b7c6c1a7343f3271523a7db39c73e4a1 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilterTest.java e335a439a6ccc301cf7c93e138c90660fbfdc6d0 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilterTest.java PRE-CREATION src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh 6e9e3b2a8d731e51d0d55d0a5075b6d2d51a02ac Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build ./src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review86706 --- Ship it! Master (ed4415c) is green with this patch. ./build-support/jenkins/build.sh I will refresh this build result if you post a review containing @ReviewBot retry - Aurora ReviewBot On June 4, 2015, 7:31 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated June 4, 2015, 7:31 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The H2 console servlet is put behind Shiro. Users are expected to have `h2_management_console` permission or be a member of admin role to access the console. Vagrant example JDBC URL: jdbc:h2:mem:aurora Diffs - src/main/java/org/apache/aurora/scheduler/http/H2ConsoleModule.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/http/JettyServerModule.java 16515f6ce4518e0d7eec27dfcde6fe036ee05d1d src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java 079ff5d2c30cc94bf4aef97cd4d791d480ebeab9 src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroIniParser.java 0163ba1a6df647a644948a42f772bd838c2146ef src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilter.java 28e6b98b39a073251bfae483575edd9635ae783a src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilter.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityIT.java 6743d06be828247b1c3a232aea145b0a0c492eca src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroAuthorizingParamInterceptorTest.java 33783c88b7c6c1a7343f3271523a7db39c73e4a1 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilterTest.java e335a439a6ccc301cf7c93e138c90660fbfdc6d0 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilterTest.java PRE-CREATION src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh 6e9e3b2a8d731e51d0d55d0a5075b6d2d51a02ac Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build ./src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review86710 --- Ship it! Looks good, only style nits src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java https://reviews.apache.org/r/34566/#comment138773 Either static import the above API_PATH or qualify H2_PATH, but please use a consistent style. src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java https://reviews.apache.org/r/34566/#comment138774 Use a MediaType constant here. - Kevin Sweeney On June 4, 2015, 12:31 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated June 4, 2015, 12:31 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The H2 console servlet is put behind Shiro. Users are expected to have `h2_management_console` permission or be a member of admin role to access the console. Vagrant example JDBC URL: jdbc:h2:mem:aurora Diffs - src/main/java/org/apache/aurora/scheduler/http/H2ConsoleModule.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/http/JettyServerModule.java 16515f6ce4518e0d7eec27dfcde6fe036ee05d1d src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java 079ff5d2c30cc94bf4aef97cd4d791d480ebeab9 src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroIniParser.java 0163ba1a6df647a644948a42f772bd838c2146ef src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilter.java 28e6b98b39a073251bfae483575edd9635ae783a src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilter.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityIT.java 6743d06be828247b1c3a232aea145b0a0c492eca src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroAuthorizingParamInterceptorTest.java 33783c88b7c6c1a7343f3271523a7db39c73e4a1 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilterTest.java e335a439a6ccc301cf7c93e138c90660fbfdc6d0 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilterTest.java PRE-CREATION src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh 6e9e3b2a8d731e51d0d55d0a5075b6d2d51a02ac Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build ./src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review86634 --- src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java https://reviews.apache.org/r/34566/#comment138681 Do you foresee us exposing other authorized servlets in this manner? If so, how does this scale in those cases? Might it make sense to extract something that can act on a set of servlet/auth configuration rather than explicitly listing each servlet for each switch case? A TODO acknowledging that we'd want to address if/when we add more is probably fine for now. src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilter.java https://reviews.apache.org/r/34566/#comment138682 Why don't need this anymore? src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java https://reviews.apache.org/r/34566/#comment138689 Use constant for this? assertEquals(ClientResponse.Status.OK.getStatusCode(), response.getStatus()) src/test/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityIT.java https://reviews.apache.org/r/34566/#comment138690 Same here and below. - Joshua Cohen On June 3, 2015, 10:08 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated June 3, 2015, 10:08 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The H2 console servlet is put behind Shiro. Users are expected to have `h2_management_console` permission or be a member of admin role to access the console. Vagrant example JDBC URL: jdbc:h2:mem:aurora Diffs - src/main/java/org/apache/aurora/scheduler/http/H2ConsoleModule.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/http/JettyServerModule.java 16515f6ce4518e0d7eec27dfcde6fe036ee05d1d src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java 079ff5d2c30cc94bf4aef97cd4d791d480ebeab9 src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroIniParser.java 0163ba1a6df647a644948a42f772bd838c2146ef src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilter.java 28e6b98b39a073251bfae483575edd9635ae783a src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilter.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityIT.java 6743d06be828247b1c3a232aea145b0a0c492eca src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroAuthorizingParamInterceptorTest.java 33783c88b7c6c1a7343f3271523a7db39c73e4a1 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilterTest.java e335a439a6ccc301cf7c93e138c90660fbfdc6d0 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilterTest.java PRE-CREATION src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh 6e9e3b2a8d731e51d0d55d0a5075b6d2d51a02ac Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build ./src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
On June 4, 2015, 4:36 p.m., Joshua Cohen wrote: src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilter.java, lines 78-80 https://reviews.apache.org/r/34566/diff/2/?file=977711#file977711line78 Why don't need this anymore? Er, ignore this, I meant to delete after I read through the rest of the diff ;). - Joshua --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review86634 --- On June 3, 2015, 10:08 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated June 3, 2015, 10:08 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The H2 console servlet is put behind Shiro. Users are expected to have `h2_management_console` permission or be a member of admin role to access the console. Vagrant example JDBC URL: jdbc:h2:mem:aurora Diffs - src/main/java/org/apache/aurora/scheduler/http/H2ConsoleModule.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/http/JettyServerModule.java 16515f6ce4518e0d7eec27dfcde6fe036ee05d1d src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java 079ff5d2c30cc94bf4aef97cd4d791d480ebeab9 src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroIniParser.java 0163ba1a6df647a644948a42f772bd838c2146ef src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilter.java 28e6b98b39a073251bfae483575edd9635ae783a src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilter.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityIT.java 6743d06be828247b1c3a232aea145b0a0c492eca src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroAuthorizingParamInterceptorTest.java 33783c88b7c6c1a7343f3271523a7db39c73e4a1 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilterTest.java e335a439a6ccc301cf7c93e138c90660fbfdc6d0 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilterTest.java PRE-CREATION src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh 6e9e3b2a8d731e51d0d55d0a5075b6d2d51a02ac Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build ./src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated June 3, 2015, 10:08 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Changes --- Implementing H2 console via servlet behind Shiro. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description (updated) --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The H2 console servlet is put behind Shiro. Users are expected to have `h2_management_console` permission or be a member of admin role to access the console. Vagrant example JDBC URL: jdbc:h2:mem:aurora Diffs (updated) - src/main/java/org/apache/aurora/scheduler/http/H2ConsoleModule.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/http/JettyServerModule.java 16515f6ce4518e0d7eec27dfcde6fe036ee05d1d src/main/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityModule.java 079ff5d2c30cc94bf4aef97cd4d791d480ebeab9 src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroIniParser.java 0163ba1a6df647a644948a42f772bd838c2146ef src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilter.java 28e6b98b39a073251bfae483575edd9635ae783a src/main/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilter.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/H2ConsoleModuleIT.java PRE-CREATION src/test/java/org/apache/aurora/scheduler/http/api/security/ApiSecurityIT.java 6743d06be828247b1c3a232aea145b0a0c492eca src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroAuthorizingParamInterceptorTest.java 33783c88b7c6c1a7343f3271523a7db39c73e4a1 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosAuthenticationFilterTest.java e335a439a6ccc301cf7c93e138c90660fbfdc6d0 src/test/java/org/apache/aurora/scheduler/http/api/security/ShiroKerberosPermissiveAuthenticationFilterTest.java PRE-CREATION src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh 6e9e3b2a8d731e51d0d55d0a5075b6d2d51a02ac Diff: https://reviews.apache.org/r/34566/diff/ Testing (updated) --- ./gradlew -Pq build ./src/test/sh/org/apache/aurora/e2e/test_kerberos_end_to_end.sh Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
On May 21, 2015, 11:34 p.m., Kevin Sweeney wrote: Have you investigated using the [Console Servlet](http://www.h2database.com/html/tutorial.html) directly? Then we can use the Shiro filter directly and avoid adding another mechanism to configure security as well as avoid adding another listening port. Maxim Khutornenko wrote: That's what I run locally to connect to H2 TCP server. Embedding H2 console directly into the scheduler would not help as it does not support any other security mechanisms besides basic auth (AFAICT). Theoretically, we could put TCP server behind Shiro but then we would face the same problem of client not supporting kerberos. Kevin Sweeney wrote: I might be missing something here. You're connecting to a management console via a browser, right? The console servlet doesn't need to know anything about the filters in front of it, so if your browser supports whatever auth mechanism the filter requires you're in business. If you've got the servlet setup somewhere with ```java serve(/h2console/*).with(H2Console.class); ``` somewhere you can add something like ```java install(ShiroWebModule.guiceFilter(/h2console/*); addFilterChain(/h2console/**, ShiroWebModule.NO_SESSION_CREATION, ShiroWebModule.AUTHC_BASIC, config(ShiroWebModule.PERMS, h2:console)); ``` to `ApiSecurityModule` and users can login with their existing credentials, and configure ACLs around `h2:console` in the same way as they configure all other ACLs. Why introduce another way to do it? Maxim Khutornenko wrote: The servlet is hosted within the browser but it still connects to the TCP server that we have to expose for it to connect to. So, the way it works now (referring to the boxes in http://www.h2database.com/html/tutorial.html): a. Web Browser: loads a servlet UI, which has Connect button to connect to the TCP server; b. H2 console server: that's the TCP server endpoint (in DBModule) that proxies requests from the servlet to the H2; c. H2: our in-memory DB I guess we could potentially embed (a) into scheduler (subject to verificaiont) and hide it behind Shiro. However, it would still have to connect to a TCP endpoint (b), so we would also need to add Shiro there as well. The problem (as I see it) is how to relay credentials from (a) to (b) as servlet opens its own connection to talk to (b) where kerberos headers will not be available. Why introduce another way to do it? No reason at all. I hate dealing with DB credentials, just don't see a way to make it work without hacking into the servlet itself. Maxim Khutornenko wrote: AFAICT, there are only two ways to connect to the H2 DB: AUTO_SERVER and TCP server. I explored the AUTO_SERVER earlier but unfortunately it does not work for in-memory DBs (http://h2database.com/html/features.html#auto_mixed_mode): Multiple processes can access the same database without having to start the server manually. To do that, append ;AUTO_SERVER=TRUE to the database URL. You can use the same database URL independent of whether the database is already open or not. This feature doesn't work with in-memory databases. So, all we left with is a H2 dedicated server instance. Maxim Khutornenko wrote: Actually, looking at their sources it appears that WebServlet creates its own WebServer instance, which in turn may serve the WebApp. This is promising. Will give it a try and report back. Thanks for the nudge. The servlet works just fine in embedded mode against in-memory DB (contrary to what I read elsewhere). I had some concerns about the servlet creating its own instance of WebServer (as that would easily bypass our security model) but turned out it's being used to serve content within the servlet web context. Even though a new http port is assigned, it's not being backed up by the native socket and not accepting connections. Now to figure out how to wire in Shiro filters... - Maxim --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review84823 --- On May 21, 2015, 9:15 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated May 21, 2015, 9:15 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html
Re: Review Request 34566: Adding H2 management console.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review84794 --- Ship it! Master (998993d) is green with this patch. ./build-support/jenkins/build.sh I will refresh this build result if you post a review containing @ReviewBot retry - Aurora ReviewBot On May 21, 2015, 9:15 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated May 21, 2015, 9:15 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The DB turns on basic authentication when a -db_authentication_file is provided (similar to -framework_authentication_file). The TCP server is then started to proxy H2 management console requests. Vagrant example URL: jdbc:h2:tcp://192.168.33.7:9092/mem:aurora Diffs - config/legacy_untested_classes.txt f50b812459bd6b59d1a03e6814caa2daae133fe9 examples/vagrant/provision-dev-cluster.sh 853ccac35f2befa31716a9ed686df650cd913c90 examples/vagrant/upstart/aurora-scheduler-kerberos.conf 414539b1917b5d33c577f1539575934c7f7c8167 examples/vagrant/upstart/aurora-scheduler.conf f4b867cbbcdbcc792518c2f90807834e47dce253 src/main/java/org/apache/aurora/SecurityUtils.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/mesos/CommandLineDriverSettingsModule.java 54608c8f819b65186ea0d000fc01b9538d5cb4ee src/main/java/org/apache/aurora/scheduler/storage/db/DbModule.java 436d3841b9361df4db98a2217e61abb95e6e6bab src/test/java/org/apache/aurora/scheduler/mesos/CommandLineDriverSettingsModuleTest.java 9e176882246b48ac87bf35c77ac8c449a0a53352 Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
--- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review84821 --- Might be worth adding tests for the conditional startup of the admin server (if it's feasible to do so?). If not, would it be worth adding an e2e test that we can connect to it? src/main/java/org/apache/aurora/scheduler/storage/db/DbModule.java https://reviews.apache.org/r/34566/#comment136217 nit: s/TCP/database TCP I might go one step further and say database admin TCP server - Joshua Cohen On May 21, 2015, 9:15 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated May 21, 2015, 9:15 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The DB turns on basic authentication when a -db_authentication_file is provided (similar to -framework_authentication_file). The TCP server is then started to proxy H2 management console requests. Vagrant example URL: jdbc:h2:tcp://192.168.33.7:9092/mem:aurora Diffs - config/legacy_untested_classes.txt f50b812459bd6b59d1a03e6814caa2daae133fe9 examples/vagrant/provision-dev-cluster.sh 853ccac35f2befa31716a9ed686df650cd913c90 examples/vagrant/upstart/aurora-scheduler-kerberos.conf 414539b1917b5d33c577f1539575934c7f7c8167 examples/vagrant/upstart/aurora-scheduler.conf f4b867cbbcdbcc792518c2f90807834e47dce253 src/main/java/org/apache/aurora/SecurityUtils.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/mesos/CommandLineDriverSettingsModule.java 54608c8f819b65186ea0d000fc01b9538d5cb4ee src/main/java/org/apache/aurora/scheduler/storage/db/DbModule.java 436d3841b9361df4db98a2217e61abb95e6e6bab src/test/java/org/apache/aurora/scheduler/mesos/CommandLineDriverSettingsModuleTest.java 9e176882246b48ac87bf35c77ac8c449a0a53352 Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
On May 21, 2015, 11:34 p.m., Kevin Sweeney wrote: Have you investigated using the [Console Servlet](http://www.h2database.com/html/tutorial.html) directly? Then we can use the Shiro filter directly and avoid adding another mechanism to configure security as well as avoid adding another listening port. Maxim Khutornenko wrote: That's what I run locally to connect to H2 TCP server. Embedding H2 console directly into the scheduler would not help as it does not support any other security mechanisms besides basic auth (AFAICT). Theoretically, we could put TCP server behind Shiro but then we would face the same problem of client not supporting kerberos. Kevin Sweeney wrote: I might be missing something here. You're connecting to a management console via a browser, right? The console servlet doesn't need to know anything about the filters in front of it, so if your browser supports whatever auth mechanism the filter requires you're in business. If you've got the servlet setup somewhere with ```java serve(/h2console/*).with(H2Console.class); ``` somewhere you can add something like ```java install(ShiroWebModule.guiceFilter(/h2console/*); addFilterChain(/h2console/**, ShiroWebModule.NO_SESSION_CREATION, ShiroWebModule.AUTHC_BASIC, config(ShiroWebModule.PERMS, h2:console)); ``` to `ApiSecurityModule` and users can login with their existing credentials, and configure ACLs around `h2:console` in the same way as they configure all other ACLs. Why introduce another way to do it? Maxim Khutornenko wrote: The servlet is hosted within the browser but it still connects to the TCP server that we have to expose for it to connect to. So, the way it works now (referring to the boxes in http://www.h2database.com/html/tutorial.html): a. Web Browser: loads a servlet UI, which has Connect button to connect to the TCP server; b. H2 console server: that's the TCP server endpoint (in DBModule) that proxies requests from the servlet to the H2; c. H2: our in-memory DB I guess we could potentially embed (a) into scheduler (subject to verificaiont) and hide it behind Shiro. However, it would still have to connect to a TCP endpoint (b), so we would also need to add Shiro there as well. The problem (as I see it) is how to relay credentials from (a) to (b) as servlet opens its own connection to talk to (b) where kerberos headers will not be available. Why introduce another way to do it? No reason at all. I hate dealing with DB credentials, just don't see a way to make it work without hacking into the servlet itself. Maxim Khutornenko wrote: AFAICT, there are only two ways to connect to the H2 DB: AUTO_SERVER and TCP server. I explored the AUTO_SERVER earlier but unfortunately it does not work for in-memory DBs (http://h2database.com/html/features.html#auto_mixed_mode): Multiple processes can access the same database without having to start the server manually. To do that, append ;AUTO_SERVER=TRUE to the database URL. You can use the same database URL independent of whether the database is already open or not. This feature doesn't work with in-memory databases. So, all we left with is a H2 dedicated server instance. Actually, looking at their sources it appears that WebServlet creates its own WebServer instance, which in turn may serve the WebApp. This is promising. Will give it a try and report back. - Maxim --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review84823 --- On May 21, 2015, 9:15 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated May 21, 2015, 9:15 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The DB turns on basic authentication when a -db_authentication_file is provided (similar to -framework_authentication_file). The TCP server is then started to proxy H2 management console requests. Vagrant example URL: jdbc:h2:tcp://192.168.33.7:9092/mem:aurora Diffs - config/legacy_untested_classes.txt f50b812459bd6b59d1a03e6814caa2daae133fe9 examples/vagrant/provision-dev-cluster.sh 853ccac35f2befa31716a9ed686df650cd913c90 examples/vagrant/upstart/aurora-scheduler-kerberos.conf
Re: Review Request 34566: Adding H2 management console.
On May 21, 2015, 11:34 p.m., Kevin Sweeney wrote: Have you investigated using the [Console Servlet](http://www.h2database.com/html/tutorial.html) directly? Then we can use the Shiro filter directly and avoid adding another mechanism to configure security as well as avoid adding another listening port. Maxim Khutornenko wrote: That's what I run locally to connect to H2 TCP server. Embedding H2 console directly into the scheduler would not help as it does not support any other security mechanisms besides basic auth (AFAICT). Theoretically, we could put TCP server behind Shiro but then we would face the same problem of client not supporting kerberos. Kevin Sweeney wrote: I might be missing something here. You're connecting to a management console via a browser, right? The console servlet doesn't need to know anything about the filters in front of it, so if your browser supports whatever auth mechanism the filter requires you're in business. If you've got the servlet setup somewhere with ```java serve(/h2console/*).with(H2Console.class); ``` somewhere you can add something like ```java install(ShiroWebModule.guiceFilter(/h2console/*); addFilterChain(/h2console/**, ShiroWebModule.NO_SESSION_CREATION, ShiroWebModule.AUTHC_BASIC, config(ShiroWebModule.PERMS, h2:console)); ``` to `ApiSecurityModule` and users can login with their existing credentials, and configure ACLs around `h2:console` in the same way as they configure all other ACLs. Why introduce another way to do it? The servlet is hosted within the browser but it still connects to the TCP server that we have to expose for it to connect to. So, the way it works now (referring to the boxes in http://www.h2database.com/html/tutorial.html): a. Web Browser: loads a servlet UI, which has Connect button to connect to the TCP server; b. H2 console server: that's the TCP server endpoint (in DBModule) that proxies requests from the servlet to the H2; c. H2: our in-memory DB I guess we could potentially embed (a) into scheduler (subject to verificaiont) and hide it behind Shiro. However, it would still have to connect to a TCP endpoint (b), so we would also need to add Shiro there as well. The problem (as I see it) is how to relay credentials from (a) to (b) as servlet opens its own connection to talk to (b) where kerberos headers will not be available. Why introduce another way to do it? No reason at all. I hate dealing with DB credentials, just don't see a way to make it work without hacking into the servlet itself. - Maxim --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review84823 --- On May 21, 2015, 9:15 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated May 21, 2015, 9:15 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The DB turns on basic authentication when a -db_authentication_file is provided (similar to -framework_authentication_file). The TCP server is then started to proxy H2 management console requests. Vagrant example URL: jdbc:h2:tcp://192.168.33.7:9092/mem:aurora Diffs - config/legacy_untested_classes.txt f50b812459bd6b59d1a03e6814caa2daae133fe9 examples/vagrant/provision-dev-cluster.sh 853ccac35f2befa31716a9ed686df650cd913c90 examples/vagrant/upstart/aurora-scheduler-kerberos.conf 414539b1917b5d33c577f1539575934c7f7c8167 examples/vagrant/upstart/aurora-scheduler.conf f4b867cbbcdbcc792518c2f90807834e47dce253 src/main/java/org/apache/aurora/SecurityUtils.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/mesos/CommandLineDriverSettingsModule.java 54608c8f819b65186ea0d000fc01b9538d5cb4ee src/main/java/org/apache/aurora/scheduler/storage/db/DbModule.java 436d3841b9361df4db98a2217e61abb95e6e6bab src/test/java/org/apache/aurora/scheduler/mesos/CommandLineDriverSettingsModuleTest.java 9e176882246b48ac87bf35c77ac8c449a0a53352 Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
On May 21, 2015, 11:34 p.m., Kevin Sweeney wrote: Have you investigated using the [Console Servlet](http://www.h2database.com/html/tutorial.html) directly? Then we can use the Shiro filter directly and avoid adding another mechanism to configure security as well as avoid adding another listening port. That's what I run locally to connect to H2 TCP server. Embedding H2 console directly into the scheduler would not help as it does not support any other security mechanisms besides basic auth (AFAICT). Theoretically, we could put TCP server behind Shiro but then we would face the same problem of client not supporting kerberos. - Maxim --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review84823 --- On May 21, 2015, 9:15 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated May 21, 2015, 9:15 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The DB turns on basic authentication when a -db_authentication_file is provided (similar to -framework_authentication_file). The TCP server is then started to proxy H2 management console requests. Vagrant example URL: jdbc:h2:tcp://192.168.33.7:9092/mem:aurora Diffs - config/legacy_untested_classes.txt f50b812459bd6b59d1a03e6814caa2daae133fe9 examples/vagrant/provision-dev-cluster.sh 853ccac35f2befa31716a9ed686df650cd913c90 examples/vagrant/upstart/aurora-scheduler-kerberos.conf 414539b1917b5d33c577f1539575934c7f7c8167 examples/vagrant/upstart/aurora-scheduler.conf f4b867cbbcdbcc792518c2f90807834e47dce253 src/main/java/org/apache/aurora/SecurityUtils.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/mesos/CommandLineDriverSettingsModule.java 54608c8f819b65186ea0d000fc01b9538d5cb4ee src/main/java/org/apache/aurora/scheduler/storage/db/DbModule.java 436d3841b9361df4db98a2217e61abb95e6e6bab src/test/java/org/apache/aurora/scheduler/mesos/CommandLineDriverSettingsModuleTest.java 9e176882246b48ac87bf35c77ac8c449a0a53352 Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
On May 21, 2015, 4:34 p.m., Kevin Sweeney wrote: Have you investigated using the [Console Servlet](http://www.h2database.com/html/tutorial.html) directly? Then we can use the Shiro filter directly and avoid adding another mechanism to configure security as well as avoid adding another listening port. Maxim Khutornenko wrote: That's what I run locally to connect to H2 TCP server. Embedding H2 console directly into the scheduler would not help as it does not support any other security mechanisms besides basic auth (AFAICT). Theoretically, we could put TCP server behind Shiro but then we would face the same problem of client not supporting kerberos. I might be missing something here. You're connecting to a management console via a browser, right? The console servlet doesn't need to know anything about the filters in front of it, so if your browser supports whatever auth mechanism the filter requires you're in business. If you've got the servlet setup somewhere with ```java serve(/h2console/*).with(H2Console.class); ``` somewhere you can add something like ```java install(ShiroWebModule.guiceFilter(/h2console/*); addFilterChain(/h2console/**, ShiroWebModule.NO_SESSION_CREATION, ShiroWebModule.AUTHC_BASIC, config(ShiroWebModule.PERMS, h2:console)); ``` to `ApiSecurityModule` and users can login with their existing credentials, and configure ACLs around `h2:console` in the same way as they configure all other ACLs. Why introduce another way to do it? - Kevin --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review84823 --- On May 21, 2015, 2:15 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated May 21, 2015, 2:15 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The DB turns on basic authentication when a -db_authentication_file is provided (similar to -framework_authentication_file). The TCP server is then started to proxy H2 management console requests. Vagrant example URL: jdbc:h2:tcp://192.168.33.7:9092/mem:aurora Diffs - config/legacy_untested_classes.txt f50b812459bd6b59d1a03e6814caa2daae133fe9 examples/vagrant/provision-dev-cluster.sh 853ccac35f2befa31716a9ed686df650cd913c90 examples/vagrant/upstart/aurora-scheduler-kerberos.conf 414539b1917b5d33c577f1539575934c7f7c8167 examples/vagrant/upstart/aurora-scheduler.conf f4b867cbbcdbcc792518c2f90807834e47dce253 src/main/java/org/apache/aurora/SecurityUtils.java PRE-CREATION src/main/java/org/apache/aurora/scheduler/mesos/CommandLineDriverSettingsModule.java 54608c8f819b65186ea0d000fc01b9538d5cb4ee src/main/java/org/apache/aurora/scheduler/storage/db/DbModule.java 436d3841b9361df4db98a2217e61abb95e6e6bab src/test/java/org/apache/aurora/scheduler/mesos/CommandLineDriverSettingsModuleTest.java 9e176882246b48ac87bf35c77ac8c449a0a53352 Diff: https://reviews.apache.org/r/34566/diff/ Testing --- ./gradlew -Pq build Connecting to H2 in Vagrant. Thanks, Maxim Khutornenko
Re: Review Request 34566: Adding H2 management console.
On May 21, 2015, 11:34 p.m., Kevin Sweeney wrote: Have you investigated using the [Console Servlet](http://www.h2database.com/html/tutorial.html) directly? Then we can use the Shiro filter directly and avoid adding another mechanism to configure security as well as avoid adding another listening port. Maxim Khutornenko wrote: That's what I run locally to connect to H2 TCP server. Embedding H2 console directly into the scheduler would not help as it does not support any other security mechanisms besides basic auth (AFAICT). Theoretically, we could put TCP server behind Shiro but then we would face the same problem of client not supporting kerberos. Kevin Sweeney wrote: I might be missing something here. You're connecting to a management console via a browser, right? The console servlet doesn't need to know anything about the filters in front of it, so if your browser supports whatever auth mechanism the filter requires you're in business. If you've got the servlet setup somewhere with ```java serve(/h2console/*).with(H2Console.class); ``` somewhere you can add something like ```java install(ShiroWebModule.guiceFilter(/h2console/*); addFilterChain(/h2console/**, ShiroWebModule.NO_SESSION_CREATION, ShiroWebModule.AUTHC_BASIC, config(ShiroWebModule.PERMS, h2:console)); ``` to `ApiSecurityModule` and users can login with their existing credentials, and configure ACLs around `h2:console` in the same way as they configure all other ACLs. Why introduce another way to do it? Maxim Khutornenko wrote: The servlet is hosted within the browser but it still connects to the TCP server that we have to expose for it to connect to. So, the way it works now (referring to the boxes in http://www.h2database.com/html/tutorial.html): a. Web Browser: loads a servlet UI, which has Connect button to connect to the TCP server; b. H2 console server: that's the TCP server endpoint (in DBModule) that proxies requests from the servlet to the H2; c. H2: our in-memory DB I guess we could potentially embed (a) into scheduler (subject to verificaiont) and hide it behind Shiro. However, it would still have to connect to a TCP endpoint (b), so we would also need to add Shiro there as well. The problem (as I see it) is how to relay credentials from (a) to (b) as servlet opens its own connection to talk to (b) where kerberos headers will not be available. Why introduce another way to do it? No reason at all. I hate dealing with DB credentials, just don't see a way to make it work without hacking into the servlet itself. AFAICT, there are only two ways to connect to the H2 DB: AUTO_SERVER and TCP server. I explored the AUTO_SERVER earlier but unfortunately it does not work for in-memory DBs (http://h2database.com/html/features.html#auto_mixed_mode): Multiple processes can access the same database without having to start the server manually. To do that, append ;AUTO_SERVER=TRUE to the database URL. You can use the same database URL independent of whether the database is already open or not. This feature doesn't work with in-memory databases. So, all we left with is a H2 dedicated server instance. - Maxim --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/#review84823 --- On May 21, 2015, 9:15 p.m., Maxim Khutornenko wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/34566/ --- (Updated May 21, 2015, 9:15 p.m.) Review request for Aurora, Joshua Cohen and Kevin Sweeney. Bugs: AURORA-1287 https://issues.apache.org/jira/browse/AURORA-1287 Repository: aurora Description --- Adding support for connecting to H2 DB via management console: http://www.h2database.com/html/quickstart.html The DB turns on basic authentication when a -db_authentication_file is provided (similar to -framework_authentication_file). The TCP server is then started to proxy H2 management console requests. Vagrant example URL: jdbc:h2:tcp://192.168.33.7:9092/mem:aurora Diffs - config/legacy_untested_classes.txt f50b812459bd6b59d1a03e6814caa2daae133fe9 examples/vagrant/provision-dev-cluster.sh 853ccac35f2befa31716a9ed686df650cd913c90 examples/vagrant/upstart/aurora-scheduler-kerberos.conf 414539b1917b5d33c577f1539575934c7f7c8167 examples/vagrant/upstart/aurora-scheduler.conf f4b867cbbcdbcc792518c2f90807834e47dce253 src/main/java/org/apache/aurora/SecurityUtils.java PRE-CREATION