mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam B <a...@mesosphere.io>
Subject Re: Review Request 47921: Enabled authorization for Mesos log access.
Date Sun, 29 May 2016 18:20:42 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47921/#review135433
-----------------------------------------------------------


Ship it!




Ship it! I updated the acls.proto comment as you suggested. Running through CI now before
committing.

- Adam B


On May 27, 2016, 11:08 a.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/47921/
> -----------------------------------------------------------
> 
> (Updated May 27, 2016, 11:08 a.m.)
> 
> 
> Review request for mesos, Adam B, Joerg Schad, and Michael Park.
> 
> 
> Bugs: MESOS-5153
>     https://issues.apache.org/jira/browse/MESOS-5153
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Uses the authorization primitives in `mesos::internal::Files` to add
> protection of the Mesos logs on both master and agents.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/acls.proto b05586ae587edbf9330f1d916340447d157ba80e 
>   include/mesos/authorizer/authorizer.proto 3ff67858a99915e0215f3ffb9966f9ac4a3fba8c

>   src/authorizer/local/authorizer.cpp 7ddb323df09a9b0ea46c6f9543c4af059d184308 
>   src/master/master.hpp 1a875c32eddfb6d884e3d0dda7f5716ee53966c3 
>   src/master/master.cpp 6442762c9fdfa368d5d9d7cd43b97f5addaf7f17 
>   src/slave/slave.hpp f48e4b6bbb87d1b8b03176f68fe8d5ea6c109652 
>   src/slave/slave.cpp 9fcf334a69ae96ff8180df50aab571fac99b6fad 
> 
> Diff: https://reviews.apache.org/r/47921/diff/
> 
> 
> Testing
> -------
> 
> `make check`
> 
> and the script
> 
> ```bash
> #! /usr/bin/env bash
> 
> rm -rf /tmp/mesos/*
> 
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> 
> cat <<EOF > /tmp/acls.json
> {
>   "permissive": false,
>   "access_mesos_log" : [
>     {
>       "principals" : { "values" : ["foo"] },
>       "logs" : { "type" : "ANY" }
>     }
>   ]
> }
> EOF
> 
> ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
>                       --authenticate_http \
>                       --credentials=file:///tmp/credentials.txt \
>                       --acls=file:///tmp/acls.json \
>                       --log_dir=/tmp/mesos/logs/master &
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \
>                      --master=127.0.0.1:5050 \
>                      --authenticate_http \
>                      --http_credentials=file:///tmp/credentials.txt \
>                      --acls=file:///tmp/acls.json \
>                      --log_dir=/tmp/mesos/logs/agent &
> 
> # This should yield a 200 OK response
> http GET http://127.0.0.1:5051/files/download?path=/slave/log -a foo:bar
> 
> # This should yield a 200 OK response
> http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a foo:bar
> 
> 
> # This shold yield a 403 Forbidden response
> http GET http://127.0.0.1:5051/files/download?path=/slave/log -a baz:bar
> 
> # This shold yield a 403 Forbidden response
> http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a baz:bar
> ```
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message