mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rojas <alexan...@mesosphere.io>
Subject Re: Review Request 58964: Added authorization support for operator endpoints.
Date Fri, 19 May 2017 13:38:51 GMT


> On May 17, 2017, 11:57 a.m., Adam B wrote:
> > include/mesos/authorizer/acls.proto
> > Lines 364 (patched)
> > <https://reviews.apache.org/r/58964/diff/3/?file=1716675#file1716675line364>
> >
> >     Why do we think `machines` is the entity we want to authorize on? What if we
decide we want to authorize on `schedules` in the future? This required field isn't very flexible.
> >     Also, why not `agents` like in `RegisterAgent` above. Is there a distinction
between agents and machines?

Schedules could be an interesting way to authorize, but also they would define a rather complex
object which is not easy to specify by an entity. Moreover, a schedule is a beginning time,
a duration and a set of machines. How you do define equality on them? does it make sense to
say that someone is authorized to create a schedule in certain times and not in others. Likewise,
machine could contain multiple agents. So what does it mean to be able to authorize one agent
but not another in the same machine? that is why I decided machines made much more sense.


Moreover, the request to set a maintenance schedule comes with a set of `machines_id`, which
makes authorization much more easier and intuitive than using `agent_id` or any other.


> On May 17, 2017, 11:57 a.m., Adam B wrote:
> > include/mesos/authorizer/authorizer.proto
> > Lines 58 (patched)
> > <https://reviews.apache.org/r/58964/diff/3/?file=1716676#file1716676line58>
> >
> >     Unused?!?

sorry, original I was planning to have the request use the machine ID to be authorized. I
still think it makes sense to give the machine ID, which the authorizer could ignore. Let's
decide on that.


- Alexander


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58964/#review175224
-----------------------------------------------------------


On May 12, 2017, 2:51 p.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58964/
> -----------------------------------------------------------
> 
> (Updated May 12, 2017, 2:51 p.m.)
> 
> 
> Review request for mesos, Adam B and Greg Mann.
> 
> 
> Bugs: MESOS-7415
>     https://issues.apache.org/jira/browse/MESOS-7415
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Adds the actions `UPDATE_MAINTENANCE_SCHEDULE`,
> `GET_MAINTENANCE_SCHEDULE`, `START_MAINTENANCE`, `STOP_MAINTENANCE`
> and `GET_MAINTENANCE_STATUS` to the authorizer API as well as the
> necesary code to handle these new actions.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/acls.proto ae0b1ea2e6417d186b1606542d75f3a20e0811db 
>   include/mesos/authorizer/authorizer.proto c9184d151befa4cea9bdebb36a315c760e6424b2

>   src/authorizer/local/authorizer.cpp 89aaf4b712d337d519445c922606789c334e5101 
>   src/tests/authorization_tests.cpp 32aa6ac4db7854507127ea2fb88b3e92daa277c0 
> 
> 
> Diff: https://reviews.apache.org/r/58964/diff/3/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message