mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam B <a...@mesosphere.io>
Subject Re: Review Request 47795: Enabled authorization for sandboxes.
Date Thu, 26 May 2016 09:46:52 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47795/#review134952
-----------------------------------------------------------



authorizeSandbox() needs to take the FrameworkId, since executorIds are not globally unique.


include/mesos/authorizer/acls.proto (lines 183 - 184)
<https://reviews.apache.org/r/47795/#comment199928>

    "... sandboxes of executors running as the given users."



include/mesos/authorizer/acls.proto (line 237)
<https://reviews.apache.org/r/47795/#comment199929>

    You'll need to rebase and pick a new number now that Joerg's actions have landed.



include/mesos/authorizer/authorizer.proto (lines 74 - 75)
<https://reviews.apache.org/r/47795/#comment199930>

    "`ACCESS_SANDBOX` will have an object with `ExecutorInfo` and `FrameworkInfo` set."
    And you'll need to get a new enum value after rebase too.



src/authorizer/local/authorizer.cpp (line 19)
<https://reviews.apache.org/r/47795/#comment199931>

    unused



src/authorizer/local/authorizer.cpp (line 47)
<https://reviews.apache.org/r/47795/#comment199932>

    unused



src/authorizer/local/authorizer.cpp (line 295)
<https://reviews.apache.org/r/47795/#comment199935>

    else Error?
    else return false/permissive?



src/slave/slave.cpp (line 118)
<https://reviews.apache.org/r/47795/#comment199933>

    unused



src/slave/slave.cpp (lines 5388 - 5389)
<https://reviews.apache.org/r/47795/#comment199936>

    BUG: This is not good enough. An executorId is only unique within a given framework. Two
Kafka frameworks might both use the same executorId, but launch with different roles/users/labels.
This code would pick the first framework with a matching executorId, rather than the right
one.
    You're really going to need to pass the FrameworkId to `authorizeSandboxAccess()` too.


- Adam B


On May 25, 2016, 6:09 p.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/47795/
> -----------------------------------------------------------
> 
> (Updated May 25, 2016, 6:09 p.m.)
> 
> 
> Review request for mesos, Adam B, Benjamin Mahler, Joerg Schad, Michael Park, and Vinod
Kone.
> 
> 
> Bugs: MESOS-5153
>     https://issues.apache.org/jira/browse/MESOS-5153
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Enables authorization of the sandboxes using the callback function
> parameter of `Files::attach()`.
> 
> It also adds relevant ACLs and support on the authorizer interface.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/acls.proto b178f53a299a2941afc073af963f6aff26af1ca8 
>   include/mesos/authorizer/authorizer.proto 911a2271211249a41c4467f6754e9996f640bf38

>   src/authorizer/local/authorizer.cpp dc53bc4374aea98b5ed41ade5617374d2447229b 
>   src/slave/slave.hpp 0de6a570e8b4699771048295ec3fcedf84593495 
>   src/slave/slave.cpp 470b5c82ea6ff01d799b06245609725853300ef1 
> 
> Diff: https://reviews.apache.org/r/47795/diff/
> 
> 
> Testing
> -------
> 
> on OSX the script:
> 
> ```bash
> #! /usr/bin/env bash
> 
> rm -rf /tmp/mesos/*
> 
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> 
> cat <<EOF > /tmp/acls.json
> {
>   "permissive": false,
>   "access_sandboxes" : [
>     {
>       "principals" : { "values" : ["foo"] },
>       "users" : { "values" : ["$USER"] }
>     }
>   ]
> }
> EOF
> 
> ./bin/mesos-master.sh --work_dir=/tmp/mesos/master &
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
>                      --master=127.0.0.1:5050 \
>                      --authenticate_http \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> 
> ./src/mesos-execute \
>   --command='while true; do echo "Hello world"; sleep 3; done' \
>   --role=test \
>   --master=127.0.0.1:5050 \
>   --name=echoer &
> 
> SANDBOX_VPATH=`http GET http://127.0.0.1:5051/files/debug -a foo:bar -b  --pretty=none
\
>      | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.keys()[0]'`
> 
> # This should yield a 200 OK response
> http GET http://127.0.0.1:5051/files/download?path=${SANDBOX_VPATH}/stdout -a foo:bar
> 
> # HTTP/1.1 200 OK
> # Content-Disposition: attachment; filename=stdout
> # Content-Length: 3267
> # Content-Type: application/octet-stream
> # Date: Fri, 20 May 2016 13:52:31 GMT
> #
> # Received SUBSCRIBED event
> # Subscribed executor on localhost
> # Received LAUNCH event
> # Starting task echoer
> # sh -c 'while true; do echo "Hello world"; sleep 3; done'
> # Forked command at 26162
> # Hello world
> # Hello world
> # Hello world
> # Hello world
> # Hello world
> 
> # This shold yield a 403 Forbidden response
> http GET http://127.0.0.1:5051/files/download?path=${SANDBOX_VPATH}/stdout -a baz:bar
> 
> # HTTP/1.1 403 Forbidden
> # Content-Length: 0
> # Date: Fri, 20 May 2016 13:52:37 GMT
> #
> #
> #
> 
> 
> ```
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message