mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rukletsov <ruklet...@gmail.com>
Subject Re: Review Request 47530: Added authorization to agent's '/containers' endpoint.
Date Wed, 18 May 2016 13:50:21 GMT


> On May 18, 2016, 12:55 p.m., Jan Schlicht wrote:
> > src/slave/http.cpp, line 787
> > <https://reviews.apache.org/r/47530/diff/1/?file=1386604#file1386604line787>
> >
> >     Please call `authorizeEndpoint` as soon as possible, i.e. after the endpoint
has been extracted from the URL.
> >     
> >     While I like the idea of doing work in parallel, by requesting the containerizer
statuses prior to the authorization, this work should only be done after the authorization
was successful. Hence this part should be in the `_containers` continuation.

This will also allow us to avoid the tuple-induced mess in the header.


- Alexander


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47530/#review133719
-----------------------------------------------------------


On May 18, 2016, 12:59 p.m., Abhishek Dasgupta wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/47530/
> -----------------------------------------------------------
> 
> (Updated May 18, 2016, 12:59 p.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rukletsov, Greg Mann, Jan Schlicht, and Till
Toenshoff.
> 
> 
> Bugs: MESOS-5317
>     https://issues.apache.org/jira/browse/MESOS-5317
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Used GET_ENDPOINT_WITH_PATH coarse-grained authz on agent's 
>  '/containers' endpoint to enable authorization on this endpoint.
>  Updated docs and testcases as well.
> 
> 
> Diffs
> -----
> 
>   docs/endpoints/slave/containers.md 959f40b9db4de4b6cea456ecf7bcb402f7a94f05 
>   src/slave/http.cpp fb48ec61e2fe0c83f80d3b8aa4c2ef5a96b748ae 
>   src/slave/slave.hpp 209f071448e3c52d16d3366d564003ee36b1d2e0 
>   src/tests/slave_authorization_tests.cpp 843cf1c631e0a25125ca1c0c0028ad1a920c2c2f 
> 
> Diff: https://reviews.apache.org/r/47530/diff/
> 
> 
> Testing
> -------
> 
> ## Unit tests.
> 
> On ubuntu 16.04:
> `sudo GTEST_FILTER="*SlaveEndpointTest*.*" make -j2 check`
> 
> ## Manual testing.
> 
> 1. Ran master with:
> ```
> sudo  ./bin/mesos-master.sh --ip=127.0.0.1 --work_dir=/var/lib/mesos
> ```
> 
> 2. ACL File: 
> ```
>   {
>     "get_endpoints": [
>       {
>         "principals": { "type": "NONE" },
>         "paths": { "values": ["/flags", "/monitor/statistics", "/containers"] }
>       }
>     ]
>   } 
> ```
> 
> 3. Ran slave with: 
> ```
> sudo ./bin/mesos-slave.sh --master=127.0.0.1:5050 --ip=0.0.0.0 --acls=file:///home/abhishek/testAcl
> ```
> 
> 4. Ran toy-framework with: 
> ```
> sudo ./no-executor-framework --master=master@127.0.0.1:5050 --command="echo hello"
> ```
> 
> 5. Output while hitting "http://127.0.0.1:5051/slave(1)/containers" - HTTP error 403:
Forbidden
> 
> 6. Changed ACL to: 
> ```
>   {
>     "get_endpoints": [
>       {
>         "principals": { "type": "ANY" },
>         "paths": { "values": ["/flags", "/monitor/statistics", "/containers"] }
>       }
>     ]
>   }
> ```
> 
> 7. Ran slave and framework again.
> 
> 8. Output:
> ```
>     [{"container_id":"9b8a6a51-68be-4763-9c7d-b67e85fccb4a","executor_id":"42","executor_name":"Command
Executor (Task: 42) (Command: sh -c 'echo hello')","framework_id":"52.......
> ```
> 
> 
> Thanks,
> 
> Abhishek Dasgupta
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message