mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam B <a...@mesosphere.io>
Subject Re: Review Request 47891: Added RUN_TASK authorization action.
Date Tue, 31 May 2016 09:16:02 GMT


> On May 27, 2016, 11:43 p.m., Adam B wrote:
> > src/master/master.cpp, line 3048
> > <https://reviews.apache.org/r/47891/diff/2/?file=1399810#file1399810line3048>
> >
> >     FrameworkInfo.user is the wrong user to pass in. It should be the user calculated
by the code you removed above.
> 
> Benjamin Bannier wrote:
>     I am confused. Before this change we had
>     
>     ```
>     string user = framework->info.user(); // Default user.
>     if (task.has_command() && task.command().has_user()) {
>       user = task.command().user();
>     } else if (task.has_executor() && task.executor().command().has_user()) {
>       user = task.executor().command().user();
>     }
>     ```
>     
>     so we did use `framework->info.user()` if neither `task.command` nor `task.executor.command`
had a user. Now we defer the decision where the user is taken from completely to the authorizer
(that's why we have that logic e.g., in the local authorizer).
>     
>     Why should I want to calculate anything here now?
>     Why is `framework->info.user()` not a good user anymore?

The reason we keep RUN_TASK_WITH_USER around is so that an old authorizer module can continue
to read the same value it expects from the `Object.value` field, which means we need to keep
this logic in the master to set the `value` as long as we support RUN_TASK_WITH_USER.


- Adam


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47891/#review135380
-----------------------------------------------------------


On May 30, 2016, 6:42 a.m., Benjamin Bannier wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/47891/
> -----------------------------------------------------------
> 
> (Updated May 30, 2016, 6:42 a.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, Joerg Schad, and Michael Park.
> 
> 
> Bugs: MESOS-5459
>     https://issues.apache.org/jira/browse/MESOS-5459
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Authorization requests for RUN_TASK actions can pass `SOME`
> authorization object either in a `FrameworkInfo` holding a user, or a
> `TaskInfo` with optionally a `CommandInfo` which can optionally hold a
> user. If either of these fields is set it will be used as the object;
> otherwise an `ANY` type authorization object will be created.
> 
> `RUN_TASK` aliases `RUN_TASK_WITH_USER` which becomes deprecated with
> 0.29.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/authorizer.proto 4478bbd3c8f5c1fb862c2c6bd450689d870f7059

>   src/authorizer/local/authorizer.cpp 547bbdd6c3605eadd23d2d2717a3fd362a616de5 
>   src/master/master.cpp a6f740f7f71c4b54208e923025d32e0473a65f5e 
>   src/tests/authorization_tests.cpp 54bfb46a807677f4a4a2bb88dcb78a358cf5121a 
> 
> Diff: https://reviews.apache.org/r/47891/diff/
> 
> 
> Testing
> -------
> 
> Tested on a range of Linux configurations on internal CI.
> 
> 
> Thanks,
> 
> Benjamin Bannier
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message