mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam B <a...@mesosphere.io>
Subject Re: Review Request 56178: Enabled the authorizer to work with MULTI_ROLE frameworks.
Date Fri, 10 Feb 2017 11:06:34 GMT


> On Feb. 9, 2017, 1:59 p.m., Benjamin Mahler wrote:
> > src/authorizer/local/authorizer.cpp, line 248
> > <https://reviews.apache.org/r/56178/diff/8/?file=1628302#file1628302line248>
> >
> >     Not yours, but I find it rather confusing as to what the object value is, looking
at the other code, is it the role? It would be nice to clarify how one figures out what `value`
represents.

That's part of the reason why we're moving away from 'value' to more explicit FrameworkInfo/FooInfos,
from which the authorizer can authorize based on any/many fields.

Until then, the best documentation is in authorizer.proto:
```
  // `REGISTER_FRAMEWORK` will have an object with `FrameworkInfo` set.
  // The `_WITH_ROLE` alias is deprecated and will be removed after
  // Mesos 1.2's deprecation cycle ends. The `value` field will continue
  // to be set until that time.
  REGISTER_FRAMEWORK = 1;
  REGISTER_FRAMEWORK_WITH_ROLE = 1;
```


- Adam


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56178/#review165014
-----------------------------------------------------------


On Feb. 9, 2017, 1:26 a.m., Benjamin Bannier wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56178/
> -----------------------------------------------------------
> 
> (Updated Feb. 9, 2017, 1:26 a.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, and Benjamin Mahler.
> 
> 
> Bugs: MESOS-7022
>     https://issues.apache.org/jira/browse/MESOS-7022
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This updates the local authorizer so that MULTI_ROLE frameworks can be
> authorized.
> 
> For non-MULTI_ROLE frameworks we continue to support use of the
> deprecated 'value' field in the authorization request's 'Object';
> however for MULTI_ROLE frameworks the 'value' field will not be set,
> and authorizers still relying on it should be updated to instead use
> the object's 'framework_info' field to extract roles to authorize
> against from.
> 
> 
> Diffs
> -----
> 
>   src/authorizer/local/authorizer.cpp b98e1fcdf2ee5ec1f6ac0be6f8accdefaa390a09 
>   src/master/master.cpp 620919ecfe85367b5c1281afc5216cc20e5e2e3c 
> 
> Diff: https://reviews.apache.org/r/56178/diff/
> 
> 
> Testing
> -------
> 
> Tested on various configurations in internal CI.
> 
> 
> Thanks,
> 
> Benjamin Bannier
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message