mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rojas <alexan...@mesosphere.io>
Subject Review Request 47795: Enabled authorization for sandboxes.
Date Tue, 24 May 2016 21:41:05 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47795/
-----------------------------------------------------------

Review request for mesos, Adam B, Benjamin Mahler, Joerg Schad, Michael Park, and Vinod Kone.


Bugs: MESOS-5153
    https://issues.apache.org/jira/browse/MESOS-5153


Repository: mesos


Description
-------

Enables authorization of the sandboxes using the callback function
parameter of `Files::attach()`.

It also adds relevant ACLs and support on the authorizer interface.


Diffs
-----

  include/mesos/authorizer/acls.proto b178f53a299a2941afc073af963f6aff26af1ca8 
  include/mesos/authorizer/authorizer.proto 911a2271211249a41c4467f6754e9996f640bf38 
  src/authorizer/local/authorizer.cpp dc53bc4374aea98b5ed41ade5617374d2447229b 
  src/slave/slave.hpp 0de6a570e8b4699771048295ec3fcedf84593495 
  src/slave/slave.cpp 2941cf1b6ea1e4deabfcbbe3f4897c06a28531a5 

Diff: https://reviews.apache.org/r/47795/diff/


Testing
-------

on OSX the script:

```bash
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "access_sandboxes" : [
    {
      "principals" : { "values" : ["foo"] },
      "roles" : { "values" : ["test"] }
    }
  ]
}
EOF

./mesos-master.sh --work_dir=/tmp/mesos/master &
./mesos-slave.sh --work_dir=/tmp/mesos/slave \
                 --master=127.0.0.1:5050 \
                 --authenticate_http \
                 --http_credentials=file:///tmp/credentials.txt \
                 --acls=file:///tmp/acls.json &

./mesos-execute --command='while true; do echo "Hello world"; sleep 3; done' \
                --role=test \
                --master=127.0.0.1:5050 \
                --name=echoer &

SANDBOX_VPATH=`http GET http://127.0.0.1:5051/files/debug -a foo:bar -b  --pretty=none \
     | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.keys()[0]'`

# This should yield a 200 OK response
http GET http://127.0.0.1:5051/files/download?path=${SANDBOX_VPATH}/stdout -a foo:bar

# HTTP/1.1 200 OK
# Content-Disposition: attachment; filename=stdout
# Content-Length: 3267
# Content-Type: application/octet-stream
# Date: Fri, 20 May 2016 13:52:31 GMT
#
# Received SUBSCRIBED event
# Subscribed executor on localhost
# Received LAUNCH event
# Starting task echoer
# sh -c 'while true; do echo "Hello world"; sleep 3; done'
# Forked command at 26162
# Hello world
# Hello world
# Hello world
# Hello world
# Hello world

# This shold yield a 403 Forbidden response
http GET http://127.0.0.1:5051/files/download?path=${SANDBOX_VPATH}/stdout -a baz:bar

# HTTP/1.1 403 Forbidden
# Content-Length: 0
# Date: Fri, 20 May 2016 13:52:37 GMT
#
#
#

```


Thanks,

Alexander Rojas


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message