mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rojas <alexan...@mesosphere.io>
Subject Re: Review Request 56178: Enabled the authorizer to work with MULTI_ROLE frameworks.
Date Fri, 10 Feb 2017 12:22:06 GMT


> On Feb. 9, 2017, 10:59 p.m., Benjamin Mahler wrote:
> > src/master/master.cpp, lines 2533-2535
> > <https://reviews.apache.org/r/56178/diff/8/?file=1628303#file1628303line2533>
> >
> >     Longer term, are there any thoughts on how we might be able to know which role
is not authorized? E.g. getting the authorization message via `Future<Option<Error>>`?

We don't have any plans on getting an unauthorization message. Not only that, but when we
were designing the system we purposely decided not to do it and only give a message if there
was an authorization failure, not if the request is unauthorize. Why doing it like that? for
the same reason when you fail to authenticate on a website you get a message saying that either
your email or your password are wrong. We don't want to give hints to a malicious user on
hoe to actually succeed in the request.


- Alexander


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56178/#review165014
-----------------------------------------------------------


On Feb. 10, 2017, 12:27 p.m., Benjamin Bannier wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56178/
> -----------------------------------------------------------
> 
> (Updated Feb. 10, 2017, 12:27 p.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, and Benjamin Mahler.
> 
> 
> Bugs: MESOS-7022
>     https://issues.apache.org/jira/browse/MESOS-7022
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This updates the local authorizer so that MULTI_ROLE frameworks can be
> authorized.
> 
> For non-MULTI_ROLE frameworks we continue to support use of the
> deprecated 'value' field in the authorization request's 'Object';
> however for MULTI_ROLE frameworks the 'value' field will not be set,
> and authorizers still relying on it should be updated to instead use
> the object's 'framework_info' field to extract roles to authorize
> against from.
> 
> 
> Diffs
> -----
> 
>   src/authorizer/local/authorizer.cpp b98e1fcdf2ee5ec1f6ac0be6f8accdefaa390a09 
>   src/master/master.cpp 620919ecfe85367b5c1281afc5216cc20e5e2e3c 
> 
> Diff: https://reviews.apache.org/r/56178/diff/
> 
> 
> Testing
> -------
> 
> Tested on various configurations in internal CI.
> 
> 
> Thanks,
> 
> Benjamin Bannier
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message