mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vinod Kone <vinodk...@gmail.com>
Subject Re: Review Request 49201: Added validation for the `get_endpoints` ACL.
Date Fri, 01 Jul 2016 00:23:36 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49201/#review140283
-----------------------------------------------------------


Fix it, then Ship it!





src/common/http.cpp (line 73)
<https://reviews.apache.org/r/49201/#comment205659>

    Can you add a comment about what this hashset represents?



src/common/http.cpp (line 79)
<https://reviews.apache.org/r/49201/#comment205660>

    extra blank line.



src/common/http.cpp (line 614)
<https://reviews.apache.org/r/49201/#comment205658>

    s/does/is/



src/common/http.cpp (line 719)
<https://reviews.apache.org/r/49201/#comment205663>

    const & ?



src/common/http.cpp (line 738)
<https://reviews.apache.org/r/49201/#comment205661>

    s/does/is/


- Vinod Kone


On June 29, 2016, 3:33 p.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/49201/
> -----------------------------------------------------------
> 
> (Updated June 29, 2016, 3:33 p.m.)
> 
> 
> Review request for mesos, Adam B, Jan Schlicht, and Till Toenshoff.
> 
> 
> Bugs: MESOS-5707
>     https://issues.apache.org/jira/browse/MESOS-5707
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> The fact that not all endpoints can be secure through ACLs, yet
> the ACL is called `get_endpoints`, can be confusing for operators.
> Therefore, if an operator tries to launch an agent/master with an
> invalid configuration an error is generated.
> 
> 
> Diffs
> -----
> 
>   src/authorizer/local/authorizer.cpp 3fade4168face1cb80b30c9b69b31d9eb4126222 
>   src/common/http.hpp 55bd0ac81af80c656a4a80766a3e4b21db9cf0cf 
>   src/common/http.cpp 95e8fb672b49a00860c64f818cc734fa22cf3516 
>   src/slave/http.cpp 44d8cc98c0c1ada9d5313a3fe5c66029c9c373c6 
>   src/slave/slave.hpp 2afd7d152dcd2f5390014cd7bd4e926b62c292d1 
>   src/tests/authorization_tests.cpp 9b99da138fa27a725738d70bd99e889b108b44ae 
>   src/tests/scheduler_driver_tests.cpp 217185780e3576faf633dd9629ae93a275fac284 
> 
> Diff: https://reviews.apache.org/r/49201/diff/
> 
> 
> Testing
> -------
> 
> `make check` and following scripts:
> 
> ```sh
> #! /usr/bin/env bash
> 
> rm -rf /tmp/mesos/*
> 
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> 
> cat <<EOF > /tmp/acls.json
> {
>   "permissive": false,
>   "get_endpoints" : [
>    {
>      "principals" : { "values" : ["foo"] },
>      "paths" : { "values" : ["/frameworks"] }
>    }
>   ]
> }
> EOF
> 
> # Fails to start up with a message saying that `/frameworks`
> # ins't supported.
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
>                      --master=127.0.0.1:5050 \
>                      --authenticate_http \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> 
> ```
> 
> and
> 
> 
> ```sh
> #! /usr/bin/env bash
> 
> rm -rf /tmp/mesos/*
> 
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> 
> cat <<EOF > /tmp/acls.json
> {
>   "permissive": false,
>   "get_endpoints" : [
>    {
>      "principals" : { "values" : ["foo"] },
>      "paths" : { "values" : ["/monitor/statistics", "/monitor/statistics.json", "/containers"]
}
>    }
>   ]
> }
> EOF
> 
> ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
>                      --authenticate_http \
>                      --log_dir=/tmp/mesos/logs/master \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
>                      --master=127.0.0.1:5050 \
>                      --authenticate_http \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json &
> 
> # Following requests succeed (200 OK response)
> http http://localhost:5051/monitor/statistics -a foo:bar
> http http://localhost:5051/monitor/statistics.json -a foo:bar
> http http://localhost:5051/monitor/containers -a foo:bar
> 
> # Following requests fail (403 forbidden response)
> http http://localhost:5051/monitor/statistics -a baz:bar
> http http://localhost:5051/monitor/statistics.json -a baz:bar
> http http://localhost:5051/monitor/containers -a baz:bar
> 
> ```
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message