Re: rotating secrets when authenticating framework
In the v0 API: If the secret updates, you will need to reauthenticate with the new credentials and reregister, perhaps triggered by knowing when the secret will expire. Changing the principal in FrameworkInfo will require you to register as a new framework_id until https://issues.apache.org/jira/browse/MESOS-2842 is resolved. Note that the Mesos master only validates the v0 scheduler credentials on authentication (i.e. on scheduler or master failover), so the scheduler could continue to function for weeks after the secret "expires" as long as the scheduler doesn't have to (reauthenticate and) reregister. In the v1 scheduler API: Every request must include the credential, so requests with an expired credential will fail. On Tue, Oct 24, 2017 at 4:00 PM, Benjamin Mahlerwrote: > +adam, alexander > > On Fri, Oct 20, 2017 at 2:54 PM, Devendra Ayalasomayajula < > devend...@nvidia.com> wrote: > >> Corrected the subject >> >> >> >> *From:* Devendra Ayalasomayajula >> *Sent:* Friday, October 20, 2017 2:40 PM >> *To:* user@mesos.apache.org >> *Subject:* rotting secrets when authenticating framework >> >> >> >> Hi, >> >> >> >> The framework I am experimenting with is using MesosSchedulerDriver and I >> am planning to pass Credential. But If the secret is updated how can the >> Credential that’s passed to the driver be updated. >> >> How to handle secrets with expiry ? >> >> >> >> Thank You >> >> Devendra >> -- >> >> This email message is for the sole use of the intended recipient(s) and >> may contain confidential information. Any unauthorized review, use, >> disclosure or distribution is prohibited. If you are not the intended >> recipient, please contact the sender by reply email and destroy all copies >> of the original message. >> -- >> > >
Re: rotating secrets when authenticating framework
+adam, alexander On Fri, Oct 20, 2017 at 2:54 PM, Devendra Ayalasomayajula < devend...@nvidia.com> wrote: > Corrected the subject > > > > *From:* Devendra Ayalasomayajula > *Sent:* Friday, October 20, 2017 2:40 PM > *To:* user@mesos.apache.org > *Subject:* rotting secrets when authenticating framework > > > > Hi, > > > > The framework I am experimenting with is using MesosSchedulerDriver and I > am planning to pass Credential. But If the secret is updated how can the > Credential that’s passed to the driver be updated. > > How to handle secrets with expiry ? > > > > Thank You > > Devendra > -- > > This email message is for the sole use of the intended recipient(s) and > may contain confidential information. Any unauthorized review, use, > disclosure or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply email and destroy all copies > of the original message. > -- >
RE: rotating secrets when authenticating framework
Corrected the subject From: Devendra Ayalasomayajula Sent: Friday, October 20, 2017 2:40 PM To: user@mesos.apache.org Subject: rotting secrets when authenticating framework Hi, The framework I am experimenting with is using MesosSchedulerDriver and I am planning to pass Credential. But If the secret is updated how can the Credential that's passed to the driver be updated. How to handle secrets with expiry ? Thank You Devendra This email message is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.