mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rojas <alexan...@mesosphere.io>
Subject Re: Review Request 49313: Added the VIEW_FLAGS authorization action.
Date Tue, 28 Jun 2016 22:51:36 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49313/
-----------------------------------------------------------

(Updated June 28, 2016, 10:51 p.m.)


Review request for mesos, Adam B, Joerg Schad, Till Toenshoff, and Vinod Kone.


Changes
-------

fixed a typo in the description -- @vinodkone


Bugs: MESOS-5705
    https://issues.apache.org/jira/browse/MESOS-5705


Repository: mesos


Description (updated)
-------

Adds again authorization for flags. Instead of being part of
`get_endpoints` it uses its own action `VIEW_FLAGS` which is
used to restrict access to the `/flags` endpoint, as well as
to filter the results of the `/state` endpoint on both master
and agents.


Diffs
-----

  include/mesos/authorizer/acls.proto a6d93cd2cb9161a98565b22e50b06aac4931a671 
  include/mesos/authorizer/authorizer.proto fc76796022a6fa3d36a1447c476980868d42c2d0 
  src/authorizer/local/authorizer.cpp 3fade4168face1cb80b30c9b69b31d9eb4126222 
  src/common/http.hpp 55bd0ac81af80c656a4a80766a3e4b21db9cf0cf 
  src/common/http.cpp 95e8fb672b49a00860c64f818cc734fa22cf3516 
  src/master/http.cpp e089fe960779f39b3321f2ec81ab2acc17d53641 
  src/slave/http.cpp 44d8cc98c0c1ada9d5313a3fe5c66029c9c373c6 
  src/tests/authorization_tests.cpp 9b99da138fa27a725738d70bd99e889b108b44ae 
  src/tests/master_authorization_tests.cpp 81804e0522fd6b26155732af08e33c4d0bb0a8fe 
  src/tests/slave_authorization_tests.cpp 78221e200d9b7880cc474f1acef92c5dec1c8e25 

Diff: https://reviews.apache.org/r/49313/diff/


Testing
-------

- `make check`
- manual tests with browsers.
- Used the script:
 
```sh
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "view_flags" : [
   {
     "principals" : { "values" : ["foo"] },
     "flags" : { "type" : "ANY" }
   },
   {
     "principals" : { "values" : ["foo"] },
     "flags" : { "type" : "NONE" }
   }
  ]
}
EOF

./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
                     --authenticate_http \
                     --log_dir=/tmp/mesos/logs/master \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &
./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
                     --master=127.0.0.1:5050 \
                     --authenticate_http \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &

# Returns a 200 OK Response with the contents of the flags
# in JSON object
http GET http://127.0.0.1:5050/flags -a foo:bar
http GET http://127.0.0.1:5051/flags -a foo:bar

# Returned JSON contains a `flags` entry with all the flags.
http GET http://127.0.0.1:5050/state -a foo:bar
http GET http://127.0.0.1:5051/state -a foo:bar

# 403 Forbidden response
http GET http://127.0.0.1:5050/flags -a baz:bar
http GET http://127.0.0.1:5051/flags -a baz:bar

# Returned JSON doesn't include flags information.
http GET http://127.0.0.1:5050/state -a baz:bar
http GET http://127.0.0.1:5051/state -a baz:bar
```


Thanks,

Alexander Rojas


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message