mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam B <a...@mesosphere.io>
Subject Re: Review Request 47921: Enabled authorization for Mesos log access.
Date Sun, 29 May 2016 06:01:16 GMT


> On May 27, 2016, 11:21 p.m., Adam B wrote:
> > src/authorizer/local/authorizer.cpp, lines 519-523
> > <https://reviews.apache.org/r/47921/diff/2/?file=1399450#file1399450line519>
> >
> >     I don't like this. Let's just remove AccessMesosLog.logs() as a field, and forego
"consistency" in favor of a sensible interface. We can always add a different optional object
later, perhaps for log-level or some unforeseen metadata.
> >     Building and testing this change now. Let me know if you object.
> 
> Alexander Rojas wrote:
>     The `AccessMesosLog.log` field cannot be removed since it removes the ability to
define rules with `ANY` and `NONE`. For example if only _foo_ cann access the logs and nobody
else, one would write:
>     
>     ```json
>     {
>       "permissive": false,
>       "access_mesos_logs" : [
>         {
>           "principals" : { "values" : ["foo"] },
>           "logs" : { "type" : "ANY" }
>         },
>         {
>           "principals" : { "type" : "ANY" },
>           "logs" : { "type" : "NONE" }
>         },
>       ]
>     }
>     
>     ```
>     
>     which cannot be expressed with the removal of the field.
> 
> Alexander Rojas wrote:
>     Sorry, the example is wrong, permissive in this case is supposed to be true.

Aha, now I see. For ACLs with a permissive bit, we need to be able to express allow vs. deny
in the rule. That should be the real explanation in acls.proto comment, instead of "`// Objects:
Not really required since the object is given. Kept for consistency.`"
Perhaps "`// Objects: ANY or NONE, to allow or deny access.`"
Note: The request, on the other hand, has only a single object, so it need not be explicitly
set. A request without an object is interpreted as ANY by the local authorizer, so an ACL
with ANY will match+allow, but an ACL with NONE will not.

Once we update that acls.proto Objects comment, I'm ready to ship this. What do you think?


- Adam


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47921/#review135377
-----------------------------------------------------------


On May 27, 2016, 11:08 a.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/47921/
> -----------------------------------------------------------
> 
> (Updated May 27, 2016, 11:08 a.m.)
> 
> 
> Review request for mesos, Adam B, Joerg Schad, and Michael Park.
> 
> 
> Bugs: MESOS-5153
>     https://issues.apache.org/jira/browse/MESOS-5153
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Uses the authorization primitives in `mesos::internal::Files` to add
> protection of the Mesos logs on both master and agents.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/acls.proto b05586ae587edbf9330f1d916340447d157ba80e 
>   include/mesos/authorizer/authorizer.proto 3ff67858a99915e0215f3ffb9966f9ac4a3fba8c

>   src/authorizer/local/authorizer.cpp 7ddb323df09a9b0ea46c6f9543c4af059d184308 
>   src/master/master.hpp 1a875c32eddfb6d884e3d0dda7f5716ee53966c3 
>   src/master/master.cpp 6442762c9fdfa368d5d9d7cd43b97f5addaf7f17 
>   src/slave/slave.hpp f48e4b6bbb87d1b8b03176f68fe8d5ea6c109652 
>   src/slave/slave.cpp 9fcf334a69ae96ff8180df50aab571fac99b6fad 
> 
> Diff: https://reviews.apache.org/r/47921/diff/
> 
> 
> Testing
> -------
> 
> `make check`
> 
> and the script
> 
> ```bash
> #! /usr/bin/env bash
> 
> rm -rf /tmp/mesos/*
> 
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> 
> cat <<EOF > /tmp/acls.json
> {
>   "permissive": false,
>   "access_mesos_log" : [
>     {
>       "principals" : { "values" : ["foo"] },
>       "logs" : { "type" : "ANY" }
>     }
>   ]
> }
> EOF
> 
> ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
>                       --authenticate_http \
>                       --credentials=file:///tmp/credentials.txt \
>                       --acls=file:///tmp/acls.json \
>                       --log_dir=/tmp/mesos/logs/master &
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \
>                      --master=127.0.0.1:5050 \
>                      --authenticate_http \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json \
>                      --log_dir=/tmp/mesos/logs/agent &
> 
> # This should yield a 200 OK response
> http GET http://127.0.0.1:5051/files/download?path=/slave/log -a foo:bar
> 
> # This should yield a 200 OK response
> http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a foo:bar
> 
> 
> # This shold yield a 403 Forbidden response
> http GET http://127.0.0.1:5051/files/download?path=/slave/log -a baz:bar
> 
> # This shold yield a 403 Forbidden response
> http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a baz:bar
> ```
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message