mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Rukletsov (JIRA)" <j...@apache.org>
Subject [jira] [Created] (MESOS-5369) Coarse-grained authorization of endpoints is supported only for short url paths.
Date Thu, 12 May 2016 13:34:12 GMT
Alexander Rukletsov created MESOS-5369:
------------------------------------------

             Summary: Coarse-grained authorization of endpoints is supported only for short
url paths.
                 Key: MESOS-5369
                 URL: https://issues.apache.org/jira/browse/MESOS-5369
             Project: Mesos
          Issue Type: Bug
    Affects Versions: 0.29.0
            Reporter: Alexander Rukletsov


For coarse-grained authorization actions, e.g., {{GET_ENDPOINT_WITH_PATH}}, we currently pass
the short version of the url path, i.e., {{/state}} instead of {{/master/state}}, to the authorizer
in some cases. This means that ACLs for local authorizer will not work as expected if absolute
paths are used. Moreover, both local and modularized authorizers should be able to understand
both short url paths for endpoints that belong to the "major" actor process (e.g., master,
agent) and absolute url paths for all other actors (e.g., {{/files/browse}}, {{/metrics/snapshot}}.

One possible solution is to pass absolute paths to authorizers and let them do the necessary
processing, e.g., removing agent id from {{/slave(id)/state}}. This will also require normalizing
endpoints from ACLs to absolute path form, similarly as we have done in MESOS-3143. Additionally
this solution removes ambiguity which may arise for same endpoints belonging to different
actors, e.g., {{/master/flags}} vs. {{/slave/flags}}.

Here are some code snippets to illustrate the problem and the reasons:
* https://github.com/apache/mesos/blob/eaf0d3461b3f17c9037490e873f114c2ee1c14d9/src/slave/http.cpp#L824-L833
* https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/3rdparty/libprocess/src/process.cpp#L2398
* https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/src/master/main.cpp#L247
* https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/3rdparty/libprocess/src/process.cpp#L2875



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message