mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam B <a...@mesosphere.io>
Subject Re: Review Request 47921: Enabled authorization for Mesos log access.
Date Fri, 27 May 2016 08:21:03 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47921/#review135180
-----------------------------------------------------------


Fix it, then Ship it!




Looks great! Just a couple of nits.
Can you update the endpoint help/docs and perhaps authorization.md to reflect the latest changes?


include/mesos/authorizer/acls.proto (line 233)
<https://reviews.apache.org/r/47921/#comment200199>

    s/compatibility/consistency/
    I wonder if this is really a good idea. Operators will try to fill in different values
in the ACL, and the local authorizer will just ignore them.



include/mesos/authorizer/acls.proto (line 284)
<https://reviews.apache.org/r/47921/#comment200200>

    s/access_mesos_log/access_mesos_logs/?
    Although a given --acls flag will only apply to a particular master/agent, if the --acls
are mass-distributed via a config-management system, the rule would apply to all the master/agent
logs.



include/mesos/authorizer/authorizer.proto (line 88)
<https://reviews.apache.org/r/47921/#comment200201>

    Add a blank line and a comment above.
    "This action will not fill in any object fields, since the object is the master/agent
log itself."


- Adam B


On May 26, 2016, 3:45 p.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/47921/
> -----------------------------------------------------------
> 
> (Updated May 26, 2016, 3:45 p.m.)
> 
> 
> Review request for mesos, Adam B, Joerg Schad, and Michael Park.
> 
> 
> Bugs: MESOS-5153
>     https://issues.apache.org/jira/browse/MESOS-5153
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Uses the authorization primitives in `mesos::internal::Files` to add
> protection of the Mesos logs on both master and agents.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/acls.proto ace9b698f46e1437911115c82324a87a0d7827fb 
>   include/mesos/authorizer/authorizer.proto 02d1a01d57cf34b38524f4368187878b03343537

>   src/authorizer/local/authorizer.cpp 3c7c791bde65cfcbcc4e319c9ccc487ab37d8029 
>   src/master/master.hpp 1a875c32eddfb6d884e3d0dda7f5716ee53966c3 
>   src/master/master.cpp 0005a29caabcc6a3776037cf86a2b12660e6377b 
>   src/slave/slave.hpp 0de6a570e8b4699771048295ec3fcedf84593495 
>   src/slave/slave.cpp 470b5c82ea6ff01d799b06245609725853300ef1 
> 
> Diff: https://reviews.apache.org/r/47921/diff/
> 
> 
> Testing
> -------
> 
> `make check`
> 
> and the script
> 
> ```bash
> #! /usr/bin/env bash
> 
> rm -rf /tmp/mesos/*
> 
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> 
> cat <<EOF > /tmp/acls.json
> {
>   "permissive": false,
>   "access_mesos_log" : [
>     {
>       "principals" : { "values" : ["foo"] },
>       "logs" : { "type" : "ANY" }
>     }
>   ]
> }
> EOF
> 
> ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
>                       --authenticate_http \
>                       --credentials=file:///tmp/credentials.txt \
>                       --acls=file:///tmp/acls.json \
>                       --log_dir=/tmp/mesos/logs/master &
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \
>                      --master=127.0.0.1:5050 \
>                      --authenticate_http \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json \
>                      --log_dir=/tmp/mesos/logs/agent &
> 
> # This should yield a 200 OK response
> http GET http://127.0.0.1:5051/files/download?path=/slave/log -a foo:bar
> 
> # This should yield a 200 OK response
> http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a foo:bar
> 
> 
> # This shold yield a 403 Forbidden response
> http GET http://127.0.0.1:5051/files/download?path=/slave/log -a baz:bar
> 
> # This shold yield a 403 Forbidden response
> http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a baz:bar
> ```
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message