mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rojas <alexan...@mesosphere.io>
Subject Re: Review Request 59147: Enabled authorization for v1 calls starting and stopping maintenance.
Date Wed, 07 Jun 2017 12:57:30 GMT


> On June 2, 2017, 4:44 a.m., Greg Mann wrote:
> > src/master/http.cpp
> > Lines 4482-4483 (patched)
> > <https://reviews.apache.org/r/59147/diff/4/?file=1734445#file1734445line4482>
> >
> >     Following on my previous comment regarding calls to `approved` which return
an error: let's try to establish some consistent endpoint behavior when authorization attempts
return an error.
> >     
> >     I think that the approach that you use here seems reasonable: if any authorization
request returns an error, then fail the request. But if we do this here, we should probably
do it elsewhere as well.
> >     
> >     I don't think the behavior of the endpoint when all authorization requests are
successful should influence its behavior in the presence of an error from the authorizer.
i.e., this endpoint has all-or-nothing authorization semantics when all authorization requests
succeed, and GET_MAINTENANCE_STATUS has filtering-type semantics when all authorization requests
succeed. However, I would argue that they should both have the same semantics in the presence
of errors from the authorizer.
> >     
> >     WDYT?

It is common for all the endpoints that do some filtering to just treat error's as false while
returning an internal server error if there is an error. While I understand your point, and
share it, I don't want to break the pattern by trying to solve it here. It would be better
to open a Jira and fix them all at once. Although what should be the solution, that I do not
know.


- Alexander


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59147/#review176726
-----------------------------------------------------------


On June 1, 2017, 4:57 p.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59147/
> -----------------------------------------------------------
> 
> (Updated June 1, 2017, 4:57 p.m.)
> 
> 
> Review request for mesos, Adam B, Greg Mann, and Till Toenshoff.
> 
> 
> Bugs: MESOS-7415
>     https://issues.apache.org/jira/browse/MESOS-7415
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Enables the use of authorization for the `START_MAINTENANCE` and
> `STOP_MAINTENANCE` v1 API calls, using the ACLs `StartMaintenance`
> and `StopMaintenance` respectively as well the actions of the same
> name as the API calls.
> 
> It also updates the ApiTests to take into account the authorization
> case.
> 
> 
> Diffs
> -----
> 
>   src/master/http.cpp 7060b8fa53e0682681c50e051908ffbbf50fb7da 
>   src/tests/api_tests.cpp faf3242f9c86d866c4bb5e457fcfe47c1063cc09 
> 
> 
> Diff: https://reviews.apache.org/r/59147/diff/4/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message