Cook icon indicating copy to clipboard operation
Cook copied to clipboard
verified publisher icon twosigma

Mesos framework principal secret

Open m4ce opened this issue 9 years ago • 9 comments

Hi,

is there any way of specifying the principal's secret for the Cook mesos framework?

Kind regards, Matteo

m4ce avatar Sep 04 '16 17:09 m4ce

I want to make sure I answer the correct question; is this the principal in this case running cook or the client? And is the concern a client talking to cook or cook talking to mesos?

wyegelwel avatar Sep 06 '16 18:09 wyegelwel

it's the principal for the mesos cook framework, so cook talking to mesos (see http://mesos.apache.org/documentation/latest/authentication/).

m4ce avatar Sep 08 '16 21:09 m4ce

We don't currently have support for setting the principal's secret however we would be thrilled to accept a PR for it. If you would be interested in working on it, I can point you to the places in the code I expect need to change to make it happen.

wyegelwel avatar Sep 09 '16 19:09 wyegelwel

Hi @wyegelwel,

I'm not such a clojure developer. However, I would be interested in contributing. If you could point out where the changes should happen, I'll give it a shot.

Thanks, Matteo

m4ce avatar Sep 15 '16 07:09 m4ce

Hey @m4ce,

Sorry for the delay, I was on vacation =)

I think it should require changes in a few places:

  1. https://github.com/twosigma/Cook/blob/master/scheduler/src/cook/mesos.clj#L135 to include a secret if it is set. I would recommend using cond here
  2. https://github.com/twosigma/Cook/blob/master/scheduler/src/cook/mesos.clj#L80 to take a mesos-secret as a parameter
  3. https://github.com/twosigma/Cook/blob/master/scheduler/src/cook/components.clj#L81 to grab mesos-secret out of settings and pass it to start-mesos-scheduler
  4. https://github.com/twosigma/Cook/blob/master/scheduler/src/cook/components.clj#L267 add a default for mesos-secret (nil is a good choice)
  5. https://github.com/twosigma/Cook/blob/master/scheduler/src/cook/components.clj#L342 add a line to pull mesos-secret out of the config (should look like mesos-principal)

Let me know if any of those doesn't make sense.

wyegelwel avatar Oct 04 '16 21:10 wyegelwel

Hi,

Sorry, I'm confused by this. How is the principal without a secret supposed to work? I'm not sure I understand the use case or how a mesos principal can be used without authentication.

Thanks, Carlos

cnocito avatar Feb 10 '17 20:02 cnocito

@wyegelwel - Would you still accept a PR for this functionality? Like a followup comment mentioned, I'm not sure how it works to accept mesos principals and not their corresponding secret

PerilousApricot avatar Oct 09 '17 03:10 PerilousApricot

@PerilousApricot - I think our principals might be working without secrets right now by using Kerberos. As for the PR, if Wil said we'd accept it before, I can't see why we wouldn't want it now. However, before you go and write all the code, I suggest that you outline your design for the patch here. (That will lessen the chance of needing to make major revisions on the PR after you open it.)

DaoWen avatar Oct 12 '17 15:10 DaoWen

@DaoWen Excellent. It's been a few years since I've done lisp-y things, so hopefully it comes back easily...

In terms of the PR, I think the outline posted above makes sense. I would probably work by plumbing the secret alongside the principal as it wends its way from the configuration layer to the mesos layer then pass it along to mesos if it isn't nil

PerilousApricot avatar Oct 12 '17 16:10 PerilousApricot