[jira] [Commented] (MESOS-5343) Behavior of custom HTTP authenticators with disabled HTTP authentication is inconsistent between master and agent
[
https://issues.apache.org/jira/browse/MESOS-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15376612#comment-15376612
]
Benjamin Bannier commented on MESOS-5343:
-
[~adam-mesos]: I do not plan to spend a lot of time on this in the next week. I
published a RR for enforcing the existing agent flag semantics also in the
master,
https://reviews.apache.org/r/50024/
but before this can be committed we will need to spend some time cleaning up
tests.
Currently we specify e.g., master {{credentials}}, often pretty low in the
testing infrastructure, but do not enable authn in all cases. Having default
credentials is useful, but so is being able to test code paths not using authn.
We will need to decide on a case by case basis what behavior a test should have
before changing it.
> Behavior of custom HTTP authenticators with disabled HTTP authentication is
> inconsistent between master and agent
> -
>
> Key: MESOS-5343
> URL: https://issues.apache.org/jira/browse/MESOS-5343
> Project: Mesos
> Issue Type: Bug
>Affects Versions: 1.0.0
>Reporter: Benjamin Bannier
>Assignee: Benjamin Bannier
>Priority: Minor
> Labels: mesosphere, security
>
> When setting a custom authenticator with {{http_authenticators}} and also
> specifying {{authenticate_http=false}} currently agents refuse to start with
> {code}
> A custom HTTP authenticator was specified with the '--http_authenticators'
> flag, but HTTP authentication was not enabled via '--authenticate_http'
> {code}
> Masters on the other hand accept this setting.
> Having differing behavior between master and agents is confusing, and we
> should decide on whether we want to accept these settings or not, and make
> the implementations consistent.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-5343) Behavior of custom HTTP authenticators with disabled HTTP authentication is inconsistent between master and agent
[
https://issues.apache.org/jira/browse/MESOS-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15376023#comment-15376023
]
Adam B commented on MESOS-5343:
---
[~bbannier], Are you still working on this? It'd be nice to pull this into a
1.0-rc3 if we have one, but it's not a release blocker.
Please let me know as soon as there's a RR for me to look at.
> Behavior of custom HTTP authenticators with disabled HTTP authentication is
> inconsistent between master and agent
> -
>
> Key: MESOS-5343
> URL: https://issues.apache.org/jira/browse/MESOS-5343
> Project: Mesos
> Issue Type: Bug
>Affects Versions: 1.0.0
>Reporter: Benjamin Bannier
>Assignee: Benjamin Bannier
>Priority: Minor
> Labels: mesosphere, security
>
> When setting a custom authenticator with {{http_authenticators}} and also
> specifying {{authenticate_http=false}} currently agents refuse to start with
> {code}
> A custom HTTP authenticator was specified with the '--http_authenticators'
> flag, but HTTP authentication was not enabled via '--authenticate_http'
> {code}
> Masters on the other hand accept this setting.
> Having differing behavior between master and agents is confusing, and we
> should decide on whether we want to accept these settings or not, and make
> the implementations consistent.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-5343) Behavior of custom HTTP authenticators with disabled HTTP authentication is inconsistent between master and agent
[
https://issues.apache.org/jira/browse/MESOS-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15366054#comment-15366054
]
Benjamin Bannier commented on MESOS-5343:
-
Had a brief stab at this. Aligning the master with the agent behavior does
require at least two changes:
1) just copying the agent authn flag validation code to the master, and
2) fix all tests setting these master flags inconsistently.
1) is trivial, while 2) might require either adjusting default flags used in
fixtures, or making tests authn-aware, all on a case-by-case basis. I updated
this ticket with a (rather ambitious) estimate reflecting that complexity.
> Behavior of custom HTTP authenticators with disabled HTTP authentication is
> inconsistent between master and agent
> -
>
> Key: MESOS-5343
> URL: https://issues.apache.org/jira/browse/MESOS-5343
> Project: Mesos
> Issue Type: Bug
>Affects Versions: 1.0.0
>Reporter: Benjamin Bannier
>Assignee: Benjamin Bannier
>Priority: Minor
> Labels: mesosphere, security
>
> When setting a custom authenticator with {{http_authenticators}} and also
> specifying {{authenticate_http=false}} currently agents refuse to start with
> {code}
> A custom HTTP authenticator was specified with the '--http_authenticators'
> flag, but HTTP authentication was not enabled via '--authenticate_http'
> {code}
> Masters on the other hand accept this setting.
> Having differing behavior between master and agents is confusing, and we
> should decide on whether we want to accept these settings or not, and make
> the implementations consistent.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-5343) Behavior of custom HTTP authenticators with disabled HTTP authentication is inconsistent between master and agent
[
https://issues.apache.org/jira/browse/MESOS-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15279369#comment-15279369
]
Adam B commented on MESOS-5343:
---
Fair point. Let's change the master's behavior to match the agent's.
> Behavior of custom HTTP authenticators with disabled HTTP authentication is
> inconsistent between master and agent
> -
>
> Key: MESOS-5343
> URL: https://issues.apache.org/jira/browse/MESOS-5343
> Project: Mesos
> Issue Type: Bug
>Affects Versions: 0.29.0
>Reporter: Benjamin Bannier
>Priority: Minor
> Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> When setting a custom authenticator with {{http_authenticators}} and also
> specifying {{authenticate_http=false}} currently agents refuse to start with
> {code}
> A custom HTTP authenticator was specified with the '--http_authenticators'
> flag, but HTTP authentication was not enabled via '--authenticate_http'
> {code}
> Masters on the other hand accept this setting.
> Having differing behavior between master and agents is confusing, and we
> should decide on whether we want to accept these settings or not, and make
> the implementations consistent.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-5343) Behavior of custom HTTP authenticators with disabled HTTP authentication is inconsistent between master and agent
[
https://issues.apache.org/jira/browse/MESOS-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15279217#comment-15279217
]
Vinod Kone commented on MESOS-5343:
---
Why do we want to load an authenticator if we have not enabled authN? i would
like the master to match the agent's behavior here after a deprecation cycle.
IIUC `--http_authenticators` flag on master followed the footsteps of
`--authenticator` flag, without realizing that the latter one needed a default
flag value for backwards compatibility.
> Behavior of custom HTTP authenticators with disabled HTTP authentication is
> inconsistent between master and agent
> -
>
> Key: MESOS-5343
> URL: https://issues.apache.org/jira/browse/MESOS-5343
> Project: Mesos
> Issue Type: Bug
>Affects Versions: 0.29.0
>Reporter: Benjamin Bannier
>Priority: Minor
> Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> When setting a custom authenticator with {{http_authenticators}} and also
> specifying {{authenticate_http=false}} currently agents refuse to start with
> {code}
> A custom HTTP authenticator was specified with the '--http_authenticators'
> flag, but HTTP authentication was not enabled via '--authenticate_http'
> {code}
> Masters on the other hand accept this setting.
> Having differing behavior between master and agents is confusing, and we
> should decide on whether we want to accept these settings or not, and make
> the implementations consistent.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-5343) Behavior of custom HTTP authenticators with disabled HTTP authentication is inconsistent between master and agent
[
https://issues.apache.org/jira/browse/MESOS-5343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15277678#comment-15277678
]
Adam B commented on MESOS-5343:
---
Quite an annoying inconsistency. I would think that we should allow users to
load a custom http_authenticator without requiring them to enable
authentication. We could WARN in that case rather than EXIT.
However, agent http authentication was added later, so I would think that the
deviation was intentional, with an intent to change master to match. I'd be
fine with either, but we should try to be consistent.
> Behavior of custom HTTP authenticators with disabled HTTP authentication is
> inconsistent between master and agent
> -
>
> Key: MESOS-5343
> URL: https://issues.apache.org/jira/browse/MESOS-5343
> Project: Mesos
> Issue Type: Bug
>Reporter: Benjamin Bannier
> Fix For: 0.29.0
>
>
> When setting a custom authenticator with {{http_authenticators}} and also
> specifying {{authenticate_http=false}} currently agents refuse to start with
> {code}
> A custom HTTP authenticator was specified with the '--http_authenticators'
> flag, but HTTP authentication was not enabled via '--authenticate_http'
> {code}
> Masters on the other hand accept this setting.
> Having differing behavior between master and agents is confusing, and we
> should decide on whether we want to accept these settings or not, and make
> the implementations consistent.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
