mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joseph Wu" <jos...@mesosphere.io>
Subject Re: Review Request 38399: Add ACLs for the maintenance HTTP endpoints
Date Tue, 15 Sep 2015 16:53:28 GMT 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/38399/#review99042
-----------------------------------------------------------


Thanks for picking this up!

A few overall things that you missed (consider adding them to separate reviews that depend
on this on):

* The HTTP endpoints need to be authenticated likewise, see this example: https://github.com/apache/mesos/blob/master/src/master/http.cpp#L1245-L1275
* You need to update docs/authorization.md to include the new ACL.

Also, can you add the following people as reviewers?  (hartem, jvanremoortere, kaysoky)


include/mesos/authorizer/authorizer.proto (line 74)
<https://reviews.apache.org/r/38399/#comment155868>

    I think you should reconsider which ACL goes where.  There are 4 maintenance endpoints
(currently):
    
    * `/maintenance/schedule` schedules machines.  This probably belongs in an ACL on it's
own.  (Like this new one.)
    * `/machine/down` and `/machine/up` bring machines up and down.  I think this falls either
in it's own ACL or together with `ShutdownFramework`.  Also, it's important to note that these
two actions are *not* maintenance specific.  (Implementation-wise, they are restricted to
maintenance for now though.)
    * `/maintenance/status` is read-only.  So it might not need to be authenticated.



include/mesos/authorizer/authorizer.proto (lines 78 - 79)
<https://reviews.apache.org/r/38399/#comment155869>

    Consider renaming to `machine_ids`.
    
    You should also consider a string representation of the MachineID protobuf.  (https://github.com/apache/mesos/blob/master/include/mesos/v1/mesos.proto#L164-L167)
    
    Both fields are important for identifying a machine.  The hostname is not enough.


- Joseph Wu


On Sept. 15, 2015, 3:05 a.m., Zhiwei Chen wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/38399/
> -----------------------------------------------------------
> 
> (Updated Sept. 15, 2015, 3:05 a.m.)
> 
> 
> Review request for mesos.
> 
> 
> Bugs: mesos-2222
>     https://issues.apache.org/jira/browse/mesos-2222
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Add ACLs for the maintenance HTTP endpoints
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/authorizer.hpp d667a52f90f970a313580446a5a006cec4b5e25b 
>   include/mesos/authorizer/authorizer.proto 86bbb45f9d91b4098a262e3e50a793f3bb39497e

>   src/authorizer/local/authorizer.hpp 32de102fd588f029882ef2222121ca83a7410c65 
>   src/authorizer/local/authorizer.cpp 6d7da87731a438c2180cf91003e09d4aa5a1c773 
>   src/master/flags.cpp 80879611fbcfd764c9fc8f60a31613a9c8fc2364 
> 
> Diff: https://reviews.apache.org/r/38399/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Zhiwei Chen
> 
>
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message