mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vinod Kone <vinodk...@gmail.com>
Subject Re: Review Request 49196: Disabled authorization from the `/flags` endpoints.
Date Mon, 27 Jun 2016 23:06:59 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49196/#review139688
-----------------------------------------------------------


Ship it!




Ship It!

- Vinod Kone


On June 27, 2016, 10 a.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/49196/
> -----------------------------------------------------------
> 
> (Updated June 27, 2016, 10 a.m.)
> 
> 
> Review request for mesos, Adam B, Jan Schlicht, and Till Toenshoff.
> 
> 
> Bugs: MESOS-5706
>     https://issues.apache.org/jira/browse/MESOS-5706
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> The `/flags` endpoints in both, agent and master uses authorization,
> however their contents are accesible to third parties by polling
> the `/state` endpoint on both.
> 
> This patch disabled authorization for the given endpoint until a
> better solution which covers all cases is found.
> 
> 
> Diffs
> -----
> 
>   src/master/http.cpp d55aa05c76bb2b1fb17b795510fd50c021cdb995 
>   src/master/master.hpp 648f1a217cc7bbb154a9d7a2a8b2c5d02087af03 
>   src/slave/http.cpp c038bf0c9680ec86f77f1a27efeb7354a9e67627 
>   src/tests/master_authorization_tests.cpp 1cda523f25242c317817e0073b68651fddfade85 
>   src/tests/slave_authorization_tests.cpp 18bcb0e499a9d2d84113b5b9e609e5e40913ebcc 
> 
> Diff: https://reviews.apache.org/r/49196/diff/
> 
> 
> Testing
> -------
> 
> `make check`, manual testing using a browser and the following script:
> 
> ```sh
> #! /usr/bin/env bash
> 
> rm -rf /tmp/mesos/*
> 
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> 
> cat <<EOF > /tmp/acls.json
> {
>   "permissive": false,
>   "get_endpoints" : [
>    {
>      "principals" : { "values" : ["foo"] },
>      "paths" : { "type" : "ANY" }
>    }
>   ]
> }
> EOF
> 
> ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
>                      --authenticate_http \
>                      --log_dir=/tmp/mesos/logs/master \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
>                      --master=127.0.0.1:5050 \
>                      --authenticate_http \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> 
> # This should return the flags, foo is authorized
> # to check all endpoints.
> http GET http://127.0.0.1:5051/flags -a foo:bar
> 
> # This should return the flags, the endpoint doesn't
> # requires authorization.
> http GET http://127.0.0.1:5051/flags -a baz:bar
> 
> # This should return 401 Unauthorized, the user bar
> # is not known.
> http GET http://127.0.0.1:5051/flags -a bar:bar
> ```
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message