In the v0 API: If the secret updates, you will need to reauthenticate with the new credentials and reregister, perhaps triggered by knowing when the secret will expire. Changing the principal in FrameworkInfo will require you to register as a new framework_id until https://issues.apache.org/jira/browse/MESOS-2842 is resolved. Note that the Mesos master only validates the v0 scheduler credentials on authentication (i.e. on scheduler or master failover), so the scheduler could continue to function for weeks after the secret "expires" as long as the scheduler doesn't have to (reauthenticate and) reregister.
In the v1 scheduler API: Every request must include the credential, so requests with an expired credential will fail. On Tue, Oct 24, 2017 at 4:00 PM, Benjamin Mahler <[email protected]> wrote: > +adam, alexander > > On Fri, Oct 20, 2017 at 2:54 PM, Devendra Ayalasomayajula < > [email protected]> wrote: > >> Corrected the subject >> >> >> >> *From:* Devendra Ayalasomayajula >> *Sent:* Friday, October 20, 2017 2:40 PM >> *To:* [email protected] >> *Subject:* rotting secrets when authenticating framework >> >> >> >> Hi, >> >> >> >> The framework I am experimenting with is using MesosSchedulerDriver and I >> am planning to pass Credential. But If the secret is updated how can the >> Credential that’s passed to the driver be updated. >> >> How to handle secrets with expiry ? >> >> >> >> Thank You >> >> Devendra >> ------------------------------ >> >> This email message is for the sole use of the intended recipient(s) and >> may contain confidential information. Any unauthorized review, use, >> disclosure or distribution is prohibited. If you are not the intended >> recipient, please contact the sender by reply email and destroy all copies >> of the original message. >> ------------------------------ >> > >
