mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benjamin Bannier <benjamin.bann...@mesosphere.io>
Subject Re: Review Request 53541: Added authorization actions for Nested Container and Debug API.
Date Mon, 28 Nov 2016 17:08:56 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/53541/#review157028
-----------------------------------------------------------




src/authorizer/local/authorizer.cpp (line 502)
<https://reviews.apache.org/r/53541/#comment227411>

    Fits on one line.



src/authorizer/local/authorizer.cpp (line 511)
<https://reviews.apache.org/r/53541/#comment227412>

    The `const` is redundant here, mind cleaning it up here and above in a case?



src/authorizer/local/authorizer.cpp (lines 479 - 480)
<https://reviews.apache.org/r/53541/#comment227434>

    You could remove one level of nesting here, e.g.,
    
        if (object->command_info != nullptr &&
            object->command_info->has_user()) { ...



src/authorizer/local/authorizer.cpp (line 508)
<https://reviews.apache.org/r/53541/#comment227429>

    This can go now, right?



src/authorizer/local/authorizer.cpp (line 545)
<https://reviews.apache.org/r/53541/#comment227438>

    Mind adding a small comment here explicitly mentioning the approval policy?



src/authorizer/local/authorizer.cpp (lines 554 - 555)
<https://reviews.apache.org/r/53541/#comment227430>

    Move this down to the first use.



src/authorizer/local/authorizer.cpp (line 569)
<https://reviews.apache.org/r/53541/#comment227461>

    I think this behaves incorrectly for some cases when `permissive==true` and the presence
of an explicit deny rule only for `userApprover_`. We might here fallback to `permissive`
in `parentApprover_` before ever examing the rule in `userApprover_`.
    
    Instead I think you should create the subapprovers with `permissive=false` and handle
permissive mode here explicitly.


- Benjamin Bannier


On Nov. 28, 2016, 5:42 p.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/53541/
> -----------------------------------------------------------
> 
> (Updated Nov. 28, 2016, 5:42 p.m.)
> 
> 
> Review request for mesos, Adam B, Kapil Arya, Kevin Klues, and Till Toenshoff.
> 
> 
> Bugs: MESOS-6474
>     https://issues.apache.org/jira/browse/MESOS-6474
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Creates new authorization action for all the API's related to
> nested containers. This patch does not add the code necesary to
> call use those actions, this is done in a latter patch.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/acls.proto e3fd6a4a1b617a75714ebd6e08ab10cffa1a7d1b 
>   include/mesos/authorizer/authorizer.hpp 3cd0f84e25c0ea91a6f20eba26341a1b830d8cf2 
>   include/mesos/authorizer/authorizer.proto 0696a629ac2d2b9950e20708f0c3666b58ff7ca0

>   src/authorizer/local/authorizer.cpp 77e05dd2475d6e7511e7c7eeea578ec31ff3d198 
>   src/tests/authorization_tests.cpp d23f551c2caa454da0c0f6cb7d77a8c2bd75a474 
> 
> Diff: https://reviews.apache.org/r/53541/diff/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message