mesos-reviews mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	Jan Schlicht <...@mesosphere.io>
Subject	Re: Review Request 47530: Added authorization to agent's '/containers' endpoint.
Date	Thu, 19 May 2016 08:09:45 GMT
----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47530/#review133898 ----------------------------------------------------------- Fix it, then Ship it! src/slave/http.cpp <https://reviews.apache.org/r/47530/#comment198575> The `#include <tuple>` will need to be re-added when you remove the one in `slave/slave.hpp` (see issue below) src/slave/http.cpp (lines 781 - 786) <https://reviews.apache.org/r/47530/#comment198574> This `repair` is probaly in a better place if it's moved to the end of `_containers`, similar to how it was before, so it'll stay ``` return process::http::OK(result, request.url.query.get("jsonp")); }) .repair([](const Future<Response>& future) { LOG(WARNING) << "Could not collect container status and statistics: " << (future.isFailed() ? future.failure() : "discarded"); return process::http::InternalServerError(); }); } ``` src/slave/slave.hpp (line 23) <https://reviews.apache.org/r/47530/#comment198573> I think this can be removed. - Jan Schlicht On May 18, 2016, 10 p.m., Abhishek Dasgupta wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/47530/ > ----------------------------------------------------------- > > (Updated May 18, 2016, 10 p.m.) > > > Review request for mesos, Adam B, Alexander Rukletsov, Greg Mann, Jan Schlicht, and Till Toenshoff. > > > Bugs: MESOS-5317 > https://issues.apache.org/jira/browse/MESOS-5317 > > > Repository: mesos > > > Description > ------- > > Used GET_ENDPOINT_WITH_PATH coarse-grained authz on agent's > '/containers' endpoint to enable authorization on this endpoint. > Updated docs and testcases as well. > > > Diffs > ----- > > docs/endpoints/slave/containers.md 959f40b9db4de4b6cea456ecf7bcb402f7a94f05 > src/slave/http.cpp fb48ec61e2fe0c83f80d3b8aa4c2ef5a96b748ae > src/slave/slave.hpp 209f071448e3c52d16d3366d564003ee36b1d2e0 > src/tests/slave_authorization_tests.cpp 843cf1c631e0a25125ca1c0c0028ad1a920c2c2f > > Diff: https://reviews.apache.org/r/47530/diff/ > > > Testing > ------- > > ## Unit tests. > > On ubuntu 16.04: > `sudo GTEST_FILTER="SlaveEndpointTest.*" make -j2 check` > > ## Manual testing. > > 1. Ran master with: > ``` > sudo ./bin/mesos-master.sh --ip=127.0.0.1 --work_dir=/var/lib/mesos > ``` > > 2. ACL File: > ``` > { > "get_endpoints": [ > { > "principals": { "type": "NONE" }, > "paths": { "values": ["/flags", "/monitor/statistics", "/containers"] } > } > ] > } > ``` > > 3. Ran slave with: > ``` > sudo ./bin/mesos-slave.sh --master=127.0.0.1:5050 --ip=0.0.0.0 --acls=file:///home/abhishek/testAcl > ``` > > 4. Ran toy-framework with: > ``` > sudo ./no-executor-framework --master=master@127.0.0.1:5050 --command="echo hello" > ``` > > 5. Output while hitting "http://127.0.0.1:5051/slave(1)/containers" - HTTP error 403: Forbidden > > 6. Changed ACL to: > ``` > { > "get_endpoints": [ > { > "principals": { "type": "ANY" }, > "paths": { "values": ["/flags", "/monitor/statistics", "/containers"] } > } > ] > } > ``` > > 7. Ran slave and framework again. > > 8. Output: > ``` > [{"container_id":"9b8a6a51-68be-4763-9c7d-b67e85fccb4a","executor_id":"42","executor_name":"Command Executor (Task: 42) (Command: sh -c 'echo hello')","framework_id":"52....... > ``` > > > Thanks, > > Abhishek Dasgupta > >
Mime	Unnamed multipart/alternative (inline, None, 0 bytes) Unnamed text/plain (inline, 7-Bit, 3702 bytes)
	View raw message