search

dddpaul / marathon-plugins-auth

Authentication and authorization plugin for Marathon
Apache License 2.0
1 stars 0 forks source link

Add ability to bypass AA with HTTP header #27

Open dddpaul opened 5 years ago

dddpaul commented 5 years ago

For example in config:

authentication:
  configuration:
    bypass_header: X-Marathon-Plugins-Auth-Disabled
dddpaul commented 5 years ago

For the sake of non-breaking changes - it may be more reasonable to enable AA only if special HTTP header is exists.

For example:

authentication:
  enabled: true
  configuration:
    force_authentication_header: X-Marathon-Plugin-Auth-Force
    force_authentication_header_enabled: true

Modes:

Force header mode Bypass header mode Result
Off Off AA is performed always
Off On AA is performed unless bypass header was received
On Off AA is performed only if force header was received
On On AA is performed always or incorrect configuration?
dddpaul commented 5 years ago

I think, this is the most flexible behaviour:

authentication:
  enabled: true
  configuration:
    production_mode_enabled: true
    trigger_header: X-Marathon-Plugin-Auth-Enabled

Parameters:

Configuration examples:

  1. Disable plugin at all:
authentication:
  enabled: false
  1. Enable plugin but AA is disabled for all requests except triggering ones:
authentication:
  configuration:
    production_mode_enabled: false
    trigger_header: X-Marathon-Plugin-Auth-Enabled
  1. Enable plugin but AA is disabled for all requests except requests with HTTP Basic Auth:
authentication:
  configuration:
    production_mode_enabled: false
    trigger_header: Authorization
  1. AA is enabled for all requests except triggering ones:
authentication:
  configuration:
    production_mode_enabled: true
    trigger_header: X-Marathon-Plugin-Auth-Enabled
  1. AA is enabled for all of the requests:
authentication:
  configuration:
    production_mode_enabled: true
    trigger_header: X-Marathon-Plugin-Auth-Enabled