Return-Path: <dev-return-47081-archive-asf-public=cust-asf.ponee.io@mesos.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 2A6C5200B21
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri, 10 Jun 2016 18:46:22 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 27CDE160A5B; Fri, 10 Jun 2016 16:46:22 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 6F780160A15
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 10 Jun 2016 18:46:21 +0200 (CEST)
Received: (qmail 92296 invoked by uid 500); 10 Jun 2016 16:46:20 -0000
Mailing-List: contact dev-help@mesos.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@mesos.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@mesos.apache.org>
List-Post: <mailto:dev@mesos.apache.org>
List-Id: <dev.mesos.apache.org>
Reply-To: dev@mesos.apache.org
Delivered-To: mailing list dev@mesos.apache.org
Received: (qmail 92272 invoked by uid 99); 10 Jun 2016 16:46:20 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jun 2016 16:46:20 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id A0837C0EF9
	for <dev@mesos.apache.org>; Fri, 10 Jun 2016 16:46:19 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level: 
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	SPF_PASS=-0.001] autolearn=disabled
Authentication-Results: spamd1-us-west.apache.org (amavisd-new);
	dkim=pass (1024-bit key) header.d=yandex-team.ru
Received: from mx2-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024)
	with ESMTP id 15RUrPnuIzlt for <dev@mesos.apache.org>;
	Fri, 10 Jun 2016 16:46:17 +0000 (UTC)
Received: from forward-corp1o.mail.yandex.net (forward-corp1o.mail.yandex.net [37.140.190.172])
	by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id 7B3965F36F
	for <dev@mesos.apache.org>; Fri, 10 Jun 2016 16:46:16 +0000 (UTC)
Received: from smtpcorp1o.mail.yandex.net (smtpcorp1o.mail.yandex.net [37.140.190.37])
	by forward-corp1o.mail.yandex.net (Yandex) with ESMTP id D13C2392079B
	for <dev@mesos.apache.org>; Fri, 10 Jun 2016 19:46:08 +0300 (MSK)
Received: from smtpcorp1o.mail.yandex.net (localhost [127.0.0.1])
	by smtpcorp1o.mail.yandex.net (Yandex) with ESMTP id 9AAAC41A02E0
	for <dev@mesos.apache.org>; Fri, 10 Jun 2016 19:46:08 +0300 (MSK)
Received: from unknown (unknown [2a02:6b8:0:3b05:eef4:bbff:fe33:a9c7])
	by smtpcorp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id qNkrHcUajX-k8kuGpWx;
	Fri, 10 Jun 2016 19:46:08 +0300
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client certificate not present)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex-team.ru; s=default;
	t=1465577168; bh=MDU9m/lluQXoEwGCLGTJVAwxzqWTZbIbhQ6p/0RYNec=;
	h=Subject:To:References:From:Message-ID:Date:User-Agent:
	 MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding;
	b=b2k/EQt9ZQyVzAP6pECvb+t+pCwbJnygL9nvmcS3ft9kSXBmbv457VRtwXVaHvAUu
	 6QcSzszGUZlv/UnYQZuRpifDh3fcECzv8oaVAu6Ccr1NpOp4UY26Ppea1tfCDgaCD8
	 uh/z+z/poXEB0HaEw7r6etQuWjBESIWikqZb+wP8=
Authentication-Results: smtpcorp1o.mail.yandex.net; dkim=pass header.i=@yandex-team.ru
Subject: Re: WebUI authentication in 1.0.0-rc1
To: dev@mesos.apache.org
References: <5751CE26.3020500@yandex-team.ru>
 <CAL3vCQo+ni74uvQFH2NPLs4dZLh4kKHQkkW8tgthEBP54t=Y+w@mail.gmail.com>
 <5755423D.9090408@yandex-team.ru>
 <CAMvp0pTiOGkA-o4rC5MWA4O2SD=Ua1hwOKvoPYajHip=+hA1EA@mail.gmail.com>
 <CAL2dqyODCrgDPT8Ge-ALSVt2xx4ub=-ATn3nJT=hU3eeadGq-w@mail.gmail.com>
 <CAOW5sYbQMbSFL1b-Vdvtq3=q37h6nE88=D4Q1nig+B2=V5yC9A@mail.gmail.com>
 <CAMvp0pRXXa0K1sjw=cr_RTUjmbS+yGhDvezecOz5RnPm07MNyg@mail.gmail.com>
From: Evers Benno <bennoe@yandex-team.ru>
Message-ID: <575AEECF.5020108@yandex-team.ru>
Date: Fri, 10 Jun 2016 18:46:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <CAMvp0pRXXa0K1sjw=cr_RTUjmbS+yGhDvezecOz5RnPm07MNyg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
archived-at: Fri, 10 Jun 2016 16:46:22 -0000

Sure,

it looks like this, not very imaginative. There is currently no
authorization on the agents.

    {
        "permissive": false,

        [...] // Here is the previous ACL with actions "run_tasks" and
"register_frameworks"

        "get_endpoints": [
            {
                "principals": {"type": "ANY"},
                "paths": {"type": "ANY"}
            }
        ],

        "view_frameworks": [
             {
                 "principals": {"type": "ANY"},
                 "users": {"type": "ANY"}
             }
        ],

        "view_tasks": [
             {
                 "principals": {"type": "ANY"},
                 "users": {"type": "ANY"}
             }
        ],

        "view_executors": [
             {
                 "principals": {"type": "ANY"},
                 "users": {"type": "ANY"}
             }
        ],

        "access_sandboxes": [
             {
                 "principals": {"type": "ANY"},
                 "users": {"type": "ANY"}
             }
        ],

        "access_mesos_logs": [
             {
                 "principals": {"type": "ANY"},
                 "logs": {"type": "ANY"}
             }
        ]
    }



On 10.06.2016 00:17, Greg Mann wrote:
> Benno,
> Would you mind providing more information on the ACL definitions that you
> used to gain full access to the web UI? I'm working on some more
> documentation for this. Also, did you have authorization enabled on the
> agents as well?
> 
> Cheers,
> Greg
> 
> On Wed, Jun 8, 2016 at 7:43 AM, Neil Conway <neil.conway@gmail.com> wrote:
> 
>> On Wed, Jun 8, 2016 at 4:27 PM, Alexander Rojas <alexander@mesosphere.io>
>> wrote:
>>> I think we should also think more thoroughly about the expected behaviour
>>> when we introduce new authorizable actions (and we most certainly will).
>>> Since things may break particularly if users set the `permissive` ACL
>> field
>>> to false.
>>>
>>> Perhaps initially, if no ACL is given for the new action we print a
>> warning
>>> message and behave as if the field had an ACL such as
>>>
>>> ```
>>> {
>>>   "principals": {"type": "ANY"}
>>>   "action":{"type": "ANY"}
>>> }
>>> ```
>>
>> An ACL configuration that omits any rules for a particular action is
>> not an invalid way to configure the system. e.g., suppose we added the
>> "/teardown" endpoint in Mesos 1.1, along with the
>> "teardown_frameworks" ACL. A perfectly reasonable way to configure the
>> behavior "no one should be allowed to use the /teardown endpoint" is
>> an ACL configuration that has "permissive: false" and doesn't
>> otherwise mention "teardown_frameworks".
>>
>> The situation here is a little unusual, because we're introducing ACLs
>> for behavior that was previously not covered by the authorization
>> system, rather than new functionality. But overall, I think the
>> situation can be addressed by documenting the new behavior
>> *prominently* in the release notes / upgrade docs -- anyone upgrading
>> to a non-patch release should be reading that document anyway, and the
>> required changes will usually be straightforward.
>>
>> Neil
>>
>