mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rojas <alexan...@mesosphere.io>
Subject Re: Review Request 58253: Added a ContainerID to 'ObjectApprover::Object'.
Date Wed, 12 Apr 2017 11:21:44 GMT


> On April 8, 2017, 1:30 a.m., Greg Mann wrote:
> > For some reason I'm having trouble replying to your previous comment, so I'll post
a new one :)
> > 
> > I think that it makes sense to have claims in the `authorization::Subject`, since
this maps directly onto the `Principal` provided by the client. However, in the case of the
`authorization::Object`, I don't think that the agent should dictate the use of particular
claims there. For example, a custom authorizer might have a different way to determine which
`ContainerID`s a principal should be able to launch containers within. I don't think that
we should leak the specific claim keys used by the `SecretGenerator` into the `authorization::Object`,
since in the future we will make the `SecretGenerator` modular and the claims within the executor
token could be different for a custom generator. Does that make sense?

your anser does make sense to me.


- Alexander


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58253/#review171388
-----------------------------------------------------------


On April 7, 2017, 5:33 a.m., Greg Mann wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58253/
> -----------------------------------------------------------
> 
> (Updated April 7, 2017, 5:33 a.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
> 
> 
> Bugs: MESOS-7014
>     https://issues.apache.org/jira/browse/MESOS-7014
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This patch adds a new member, `container_id` to the
> `ObjectApprover::Object` to facilitate implicit executor
> authorization.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/authorizer.hpp 75801ccc753a60ce5e5979b6723fd2294ce7ffe5 
>   include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8

>   src/authorizer/local/authorizer.cpp e241edf4afa48d35dbbbb94d72e8e8690f5bedfc 
> 
> 
> Diff: https://reviews.apache.org/r/58253/diff/1/
> 
> 
> Testing
> -------
> 
> Testing details can be found at the end of this chain.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message