Skip to content
This repository was archived by the owner on Oct 23, 2024. It is now read-only.

fixes #1289 - Trim \n at the end of a secret when using Mesos auth#1290

Closed
drexin wants to merge 1 commit intomasterfrom
wip-1289-drexin
Closed

fixes #1289 - Trim \n at the end of a secret when using Mesos auth#1290
drexin wants to merge 1 commit intomasterfrom
wip-1289-drexin

Conversation

@drexin
Copy link
Contributor

@drexin drexin commented Mar 11, 2015

No description provided.

@everpeace everpeace mentioned this pull request Mar 11, 2015
Merged
@ConnorDoyle
Copy link
Contributor

ConnorDoyle commented Mar 11, 2015

I think when we implemented this in #710 we intentionally read all of the bytes in the file. This is because the authentication mechanism in Mesos could be an arbitrary module. This change would make it impossible to define a secret that ends in the byte 0x0A, for example. Finally, the Mesos protobuf definition of the secret to be of type bytes hints that we shouldn't assume UTF-8.

Maybe we could benefit from a second opinion from people who have worked on authentication in Mesos. cc: @adam-mesos

@adam-mesos
Copy link

adam-mesos commented Mar 11, 2015

Interesting points. Mesos' default CRAM-MD5 authentication must assume the secret does not include a newline character, since the master's --credentials file is newline-delimited between credentials. Kerberos authentication does not use the secret, since keytabs/tickets are managed out of band. Other alternative authenticatee modules may want to include newlines in their secrets, so for their sake we may want to read the entire file, but until they complain we can probably trim any newlines when reading the secret file. Perhaps in the future, it could be up to the CRAM-MD5 authenticatee to trim out newlines.

@everpeace
Copy link
Contributor

everpeace commented Mar 12, 2015

@drexin soo sorry for bothering you on this. I seemed to miss deleting trailing space on secret file....

echo -n 'mesos rocks' > mesos-credentials and echo -n 'rocks' > marathon-secret works fine on original authentication code.

@drexin drexin closed this Mar 13, 2015
@drexin
Copy link
Contributor Author

drexin commented Mar 13, 2015

Thanks @everpeace

@aquamatthias aquamatthias deleted the wip-1289-drexin branch August 7, 2015 10:06
@gvenka008c
Copy link

gvenka008c commented May 8, 2016
edited
Loading

@drexin @everpeace @ConnorDoyle @adam-mesos

I am seeing the 'Master refused authentication' while authenticating Marathon against Mesos Master. Here is the info. Thoughts?

May  8 01:33:35 jmesosmas-03p marathon[32372]: I0508 01:33:35.870514 32617 sched.cpp:326] New master detected at master@xx.xx.xxx.xx:5050
May  8 01:33:35 jmesosmas-03p marathon[32372]: I0508 01:33:35.870781 32617 sched.cpp:382] Authenticating with master master@xx.xx.xxx.xx:5050
May  8 01:33:35 jmesosmas-03p marathon[32372]: I0508 01:33:35.870803 32617 sched.cpp:389] Using default CRAM-MD5 authenticatee
May  8 01:33:35 jmesosmas-03p marathon[32372]: I0508 01:33:35.871073 32617 authenticatee.cpp:97] Initializing client SASL
May  8 01:33:35 jmesosmas-03p marathon[32372]: I0508 01:33:35.872035 32617 authenticatee.cpp:121] Creating new client SASL connection
May  8 01:33:35 jmesosmas-03p mesos-master[27629]: I0508 01:33:35.872970 27657 master.cpp:5521] Authenticating scheduler-1475a8a3-0937-4fe0-a17c-e6e1b85648d0@xx.xx.xxx.xx:9090
May  8 01:33:35 jmesosmas-03p mesos-master[27629]: I0508 01:33:35.873271 27657 authenticator.cpp:98] Creating new server SASL connection
May  8 01:33:35 jmesosmas-03p marathon[32372]: I0508 01:33:35.874003 32615 authenticatee.cpp:212] Received SASL authentication mechanisms: CRAM-MD5
May  8 01:33:35 jmesosmas-03p marathon[32372]: I0508 01:33:35.874047 32615 authenticatee.cpp:238] Attempting to authenticate with mechanism 'CRAM-MD5'
May  8 01:33:35 jmesosmas-03p marathon[32372]: I0508 01:33:35.875255 32615 authenticatee.cpp:258] Received SASL authentication step
May  8 01:33:35 jmesosmas-03p marathon[32372]: E0508 01:33:35.876106 32615 sched.cpp:465] Master master@xx.xx.xxx.xx:5050 refused authentication
May  8 01:33:35 jmesosmas-03p marathon[32372]: I0508 01:33:35.876124 32615 sched.cpp:1131] Got error 'Master refused authentication'

Here is the Mesos Master setting

[root@jmesosmas-03p auth]# more acls
{ "run_tasks": [ { "principals": { "type": "ANY" }, "users": { "type": "ANY" } } ], "register_frameworks": [ { "principals": { "type": "ANY" }, "roles": { "type": "ANY" } } ] }

[root@jmesosmas-03p auth]# more credentials
marathon marathonsecret

[root@jmesosmas-03p mesos-master]# more acls
file:///etc/mesos/auth/acls

[root@jmesosmas-03p mesos-master]# more credentials
file:///etc/mesos/auth/credentials

[root@jmesosmas-03p mesos-master]# more authenticate
true

Here is the marathon configuration

[root@jmesosmas-03p conf]# more mesos_authentication_principal
marathon

[root@jmesosmas-03p conf]# more mesos_authentication_secret_file
/etc/mesos/auth/marathon.secret

[root@jmesosmas-03p conf]# more /etc/mesos/auth/marathon.secret
marathonsecret

Here is the list of packages

# rpm -qa | grep cyrus
cyrus-sasl-md5-2.1.26-20.el7_2.x86_64
cyrus-sasl-lib-2.1.26-20.el7_2.x86_64
cyrus-sasl-plain-2.1.26-20.el7_2.x86_64
cyrus-sasl-2.1.26-20.el7_2.x86_64

Version:

Mesos Version:0.27.1
Marathon: Version 0.15.2

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@drexin @ConnorDoyle @adam-mesos @everpeace @gvenka008c @marcomonaco