mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mesos ReviewBot <revi...@mesos.apache.org>
Subject Re: Review Request 49082: Enabled fine grained authorization in the Agent.
Date Wed, 22 Jun 2016 23:18:27 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49082/#review139171
-----------------------------------------------------------



Patch looks great!

Reviews applied: [49083, 49082]

Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose'
ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker_build.sh

- Mesos ReviewBot


On June 22, 2016, 2:49 p.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/49082/
> -----------------------------------------------------------
> 
> (Updated June 22, 2016, 2:49 p.m.)
> 
> 
> Review request for mesos, Adam B, Joerg Schad, and Till Toenshoff.
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> While information about frameworks, executors and tasks were well
> protected in the master, this information was not protected in the
> agents, which enabled unauthorized users to verify the data by getting
> the agent `/state` endpoint. This was particularly pressing since the
> Mesos UI would work as a proxy for agents endpoints so even being
> behind a firewall would not had been enough.
> 
> 
> Diffs
> -----
> 
>   src/slave/http.cpp 22b5930a7af336a749af4b6b50254f60433ecea5 
>   src/tests/mesos.hpp b9de9b6dfe0e62df91d5b82006b799345b49fd3c 
>   src/tests/mesos.cpp 15aaaa7979f227083580afc1349373f3e3364c65 
>   src/tests/slave_authorization_tests.cpp 98fde4914a5fddda4401d366e75322458bc9104c 
> 
> Diff: https://reviews.apache.org/r/49082/diff/
> 
> 
> Testing
> -------
> 
> `make check`, some manual testing in the Mesos UI and the following script:
> 
> ```sh
> #! /usr/bin/env bash
> 
> rm -rf /tmp/mesos/*
> 
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> 
> cat <<EOF > /tmp/acls.json
> {
>   "permissive": false,
>   "access_mesos_logs" : [
>     {
>       "principals" : { "values" : ["foo"] },
>       "logs" : { "type" : "ANY" }
>     }
>   ],
>   "access_sandboxes" : [
>     {
>       "principals" : { "values" : ["foo"] },
>       "users" : { "values" : ["$USER"] }
>     }
>   ],
>   "view_tasks" : [
>     {
>       "principals" : { "values" : ["foo"] },
>       "users" : { "values" : ["$USER"] }
>     }
>   ],
>   "view_executors" : [
>     {
>       "principals" : { "values" : ["foo"] },
>       "users" : { "values" : ["$USER"] }
>     }
>   ],
>   "view_frameworks" : [
>     {
>       "principals" : { "values" : ["foo"] },
>       "users" : { "values" : ["$USER"] }
>     }
>   ],
>   "register_frameworks" : [
>    {
>      "principals" : { "values" : ["foo"] },
>      "roles" : { "values" : ["test"] }
>    }
>   ],
>   "run_tasks" : [
>    {
>      "principals" : { "values" : ["foo"] },
>      "users" : { "values" : ["$USER"] }
>    }
>   ],
>   "get_endpoints" : [
>    {
>      "principals" : { "values" : ["foo"] },
>      "paths" : { "type" : "ANY" }
>    }
>   ]
> }
> EOF
> 
> ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
>                      --authenticate_http \
>                      --log_dir=/tmp/mesos/logs/master \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
>                      --master=127.0.0.1:5050 \
>                      --authenticate_http \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> ./src/mesos-execute  \
>   --command='while true; do echo "Hello world"; sleep 3; done' \
>   --role=test \
>   --master=127.0.0.1:5050 \
>   --name=echoer \
>   --principal=foo &
> 
> # This should show complete information about frameworks, 
> # executors and tasks.
> http GET http://127.0.0.1:5051/state -a foo:bar
> 
> # This should show partial elements of the state but none
> # related to the running framework.
> http GET http://127.0.0.1:5051/state -a baz:bar
> 
> # This should yield a 401 Unauthorized response.
> http GET http://127.0.0.1:5051/state -a bar:bar
> ```
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message