mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rojas <alexan...@mesosphere.io>
Subject Review Request 49082: Enabled fine grained authorization in the Agent.
Date Wed, 22 Jun 2016 12:31:38 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49082/
-----------------------------------------------------------

Review request for mesos, Adam B, Joerg Schad, and Till Toenshoff.


Repository: mesos


Description
-------

While information about frameworks, executors and tasks were well
protected in the master, this information was not protected in the
agents, which enabled unauthorized users to verify the data by getting
the agent `/state` endpoint. This was particularly pressing since the
Mesos UI would work as a proxy for agents endpoints so even being
behind a firewall would not had been enough.


Diffs
-----

  src/slave/http.cpp 22b5930a7af336a749af4b6b50254f60433ecea5 

Diff: https://reviews.apache.org/r/49082/diff/


Testing
-------

`make check`, some manual testing in the Mesos UI and the following script:

```sh
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "access_mesos_logs" : [
    {
      "principals" : { "values" : ["foo"] },
      "logs" : { "type" : "ANY" }
    }
  ],
  "access_sandboxes" : [
    {
      "principals" : { "values" : ["foo"] },
      "users" : { "values" : ["$USER"] }
    }
  ],
  "view_tasks" : [
    {
      "principals" : { "values" : ["foo"] },
      "users" : { "values" : ["$USER"] }
    }
  ],
  "view_executors" : [
    {
      "principals" : { "values" : ["foo"] },
      "users" : { "values" : ["$USER"] }
    }
  ],
  "view_frameworks" : [
    {
      "principals" : { "values" : ["foo"] },
      "users" : { "values" : ["$USER"] }
    }
  ],
  "register_frameworks" : [
   {
     "principals" : { "values" : ["foo"] },
     "roles" : { "values" : ["test"] }
   }
  ],
  "run_tasks" : [
   {
     "principals" : { "values" : ["foo"] },
     "users" : { "values" : ["$USER"] }
   }
  ],
  "get_endpoints" : [
   {
     "principals" : { "values" : ["foo"] },
     "paths" : { "type" : "ANY" }
   }
  ]
}
EOF

./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
                     --authenticate_http \
                     --log_dir=/tmp/mesos/logs/master \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &
./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
                     --master=127.0.0.1:5050 \
                     --authenticate_http \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &
./src/mesos-execute  \
  --command='while true; do echo "Hello world"; sleep 3; done' \
  --role=test \
  --master=127.0.0.1:5050 \
  --name=echoer \
  --principal=foo &

# This should show complete information about frameworks, 
# executors and tasks.
http GET http://127.0.0.1:5051/state -a foo:bar

# This should show partial elements of the state but none
# related to the running framework.
http GET http://127.0.0.1:5051/state -a baz:bar

# This should yield a 401 Unauthorized response.
http GET http://127.0.0.1:5051/state -a bar:bar
```


Thanks,

Alexander Rojas


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message