mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vinod Kone <vinodk...@gmail.com>
Subject Re: Review Request 49201: Added validation for the `get_endpoints` ACL.
Date Mon, 27 Jun 2016 23:11:20 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49201/#review139690
-----------------------------------------------------------




src/authorizer/local/authorizer.cpp (lines 765 - 770)
<https://reviews.apache.org/r/49201/#comment205004>

    i'm afraid this will be hard to keep this hashset in sync with the reality. is there a
way to enforce that this is up to date?


- Vinod Kone


On June 27, 2016, 10:02 a.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/49201/
> -----------------------------------------------------------
> 
> (Updated June 27, 2016, 10:02 a.m.)
> 
> 
> Review request for mesos, Adam B, Jan Schlicht, and Till Toenshoff.
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> The fact that not all endpoints can be secure through ACLs, yet
> the ACL is called `get_endpoints`, can be confusing for operators.
> Therefore, if an operator tries to launch an agent/master with an
> invalid configuration an error is generated.
> 
> 
> Diffs
> -----
> 
>   src/authorizer/local/authorizer.cpp 2c20a3069dc000b6674ac15046edd9213e79a632 
>   src/tests/authorization_tests.cpp 9b99da138fa27a725738d70bd99e889b108b44ae 
> 
> Diff: https://reviews.apache.org/r/49201/diff/
> 
> 
> Testing
> -------
> 
> `make check` and following scripts:
> 
> ```sh
> #! /usr/bin/env bash
> 
> rm -rf /tmp/mesos/*
> 
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> 
> cat <<EOF > /tmp/acls.json
> {
>   "permissive": false,
>   "get_endpoints" : [
>    {
>      "principals" : { "values" : ["foo"] },
>      "paths" : { "values" : ["/frameworks"] }
>    }
>   ]
> }
> EOF
> 
> # Fails to start up with a message saying that `/frameworks`
> # ins't supported.
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
>                      --master=127.0.0.1:5050 \
>                      --authenticate_http \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> 
> ```
> 
> and
> 
> 
> ```sh
> #! /usr/bin/env bash
> 
> rm -rf /tmp/mesos/*
> 
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> 
> cat <<EOF > /tmp/acls.json
> {
>   "permissive": false,
>   "get_endpoints" : [
>    {
>      "principals" : { "values" : ["foo"] },
>      "paths" : { "values" : ["/monitor/statistics", "/monitor/statistics.json", "/containers"]
}
>    }
>   ]
> }
> EOF
> 
> ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
>                      --authenticate_http \
>                      --log_dir=/tmp/mesos/logs/master \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
>                      --master=127.0.0.1:5050 \
>                      --authenticate_http \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> 
> # Following requests succeed (200 OK response)
> http http://localhost:5051/monitor/statistics -a foo:bar
> http http://localhost:5051/monitor/statistics.json -a foo:bar
> http http://localhost:5051/monitor/containers -a foo:bar
> 
> # Following requests fail (403 forbidden response)
> http http://localhost:5051/monitor/statistics -a baz:bar
> http http://localhost:5051/monitor/statistics.json -a baz:bar
> http http://localhost:5051/monitor/containers -a baz:bar
> 
> ```
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message