mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yan Xu (JIRA)" <j...@apache.org>
Subject [jira] [Created] (MESOS-7257) LocalAuthorizer handles request subject being NONE which never happens
Date Thu, 16 Mar 2017 17:19:41 GMT
Yan Xu created MESOS-7257:
-----------------------------

             Summary: LocalAuthorizer handles request subject being NONE which never happens
                 Key: MESOS-7257
                 URL: https://issues.apache.org/jira/browse/MESOS-7257
             Project: Mesos
          Issue Type: Bug
            Reporter: Yan Xu


The {{approved}} method in the local authorizer deals with the request being {{NONE}} or {{ANY}}
according to these charts

{code:title=}
// Match matrix:
//
//                  -----------ACL----------
//
//                    SOME    NONE    ANY
//          -------|-------|-------|-------
//  |        SOME  | Yes/No|  Yes  |   Yes
//  |       -------|-------|-------|-------
// Request   NONE  |  No   |  Yes  |   No
//  |       -------|-------|-------|-------
//  |        ANY   |  No   |  Yes  |   Yes
//          -------|-------|-------|-------

// Allow matrix:
//
//                 -----------ACL----------
//
//                    SOME    NONE    ANY
//          -------|-------|-------|-------
//  |        SOME  | Yes/No|  No   |   Yes
//  |       -------|-------|-------|-------
// Request   NONE  |  No   |  Yes  |   No
//  |       -------|-------|-------|-------
//  |        ANY   |  No   |  No   |   Yes
//          -------|-------|-------|-------
{code}

However AFACIT there's not a case for the request to be {{NONE}} as the code treats an none
subject as {{ANY}}:

{code:title=}
    // Construct subject.
    if (subject_.isSome()) {
      aclSubject.add_values(subject_->value());
      aclSubject.set_type(mesos::ACL::Entity::SOME);
    } else {
      aclSubject.set_type(mesos::ACL::Entity::ANY);
    }
{code}

If feels more appropriate to use {{ACL::Entity::NONE}} to mean the subject is none but regardless
of the choice, we don't seem to need both {{ACL::Entity::NONE}} and {{ACL::Entity::ANY}} for
the request?

If so the matrices in should probably just have two rows and the code can be simplified.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message