mesos-reviews mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	Alexander Rojas <alexan...@mesosphere.io>
Subject	Re: Review Request 58253: Added a ContainerID to 'ObjectApprover::Object'.
Date	Wed, 12 Apr 2017 11:21:44 GMT
> On April 8, 2017, 1:30 a.m., Greg Mann wrote: > > For some reason I'm having trouble replying to your previous comment, so I'll post a new one :) > > > > I think that it makes sense to have claims in the `authorization::Subject`, since this maps directly onto the `Principal` provided by the client. However, in the case of the `authorization::Object`, I don't think that the agent should dictate the use of particular claims there. For example, a custom authorizer might have a different way to determine which `ContainerID`s a principal should be able to launch containers within. I don't think that we should leak the specific claim keys used by the `SecretGenerator` into the `authorization::Object`, since in the future we will make the `SecretGenerator` modular and the claims within the executor token could be different for a custom generator. Does that make sense? your anser does make sense to me. - Alexander ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/58253/#review171388 ----------------------------------------------------------- On April 7, 2017, 5:33 a.m., Greg Mann wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/58253/ > ----------------------------------------------------------- > > (Updated April 7, 2017, 5:33 a.m.) > > > Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone. > > > Bugs: MESOS-7014 > https://issues.apache.org/jira/browse/MESOS-7014 > > > Repository: mesos > > > Description > ------- > > This patch adds a new member, `container_id` to the > `ObjectApprover::Object` to facilitate implicit executor > authorization. > > > Diffs > ----- > > include/mesos/authorizer/authorizer.hpp 75801ccc753a60ce5e5979b6723fd2294ce7ffe5 > include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8 > src/authorizer/local/authorizer.cpp e241edf4afa48d35dbbbb94d72e8e8690f5bedfc > > > Diff: https://reviews.apache.org/r/58253/diff/1/ > > > Testing > ------- > > Testing details can be found at the end of this chain. > > > Thanks, > > Greg Mann > >
Mime	Unnamed multipart/alternative (inline, None, 0 bytes) Unnamed text/plain (inline, 7-Bit, 2296 bytes)
	View raw message