mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benjamin Bannier <benjamin.bann...@mesosphere.io>
Subject Re: Review Request 47891: Added RUN_TASK authorization action.
Date Tue, 31 May 2016 07:42:12 GMT


> On May 28, 2016, 8:43 a.m., Adam B wrote:
> > src/master/master.cpp, line 3048
> > <https://reviews.apache.org/r/47891/diff/2/?file=1399810#file1399810line3048>
> >
> >     FrameworkInfo.user is the wrong user to pass in. It should be the user calculated
by the code you removed above.

I am confused. Before this change we had

```
string user = framework->info.user(); // Default user.
if (task.has_command() && task.command().has_user()) {
  user = task.command().user();
} else if (task.has_executor() && task.executor().command().has_user()) {
  user = task.executor().command().user();
}
```

so we did use `framework->info.user()` if neither `task.command` nor `task.executor.command`
had a user. Now we defer the decision where the user is taken from completely to the authorizer
(that's why we have that logic e.g., in the local authorizer).

Why should I want to calculate anything here now?
Why is `framework->info.user()` not a good user anymore?


- Benjamin


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47891/#review135380
-----------------------------------------------------------


On May 30, 2016, 3:42 p.m., Benjamin Bannier wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/47891/
> -----------------------------------------------------------
> 
> (Updated May 30, 2016, 3:42 p.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, Joerg Schad, and Michael Park.
> 
> 
> Bugs: MESOS-5459
>     https://issues.apache.org/jira/browse/MESOS-5459
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Authorization requests for RUN_TASK actions can pass `SOME`
> authorization object either in a `FrameworkInfo` holding a user, or a
> `TaskInfo` with optionally a `CommandInfo` which can optionally hold a
> user. If either of these fields is set it will be used as the object;
> otherwise an `ANY` type authorization object will be created.
> 
> `RUN_TASK` aliases `RUN_TASK_WITH_USER` which becomes deprecated with
> 0.29.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/authorizer.proto 4478bbd3c8f5c1fb862c2c6bd450689d870f7059

>   src/authorizer/local/authorizer.cpp 547bbdd6c3605eadd23d2d2717a3fd362a616de5 
>   src/master/master.cpp a6f740f7f71c4b54208e923025d32e0473a65f5e 
>   src/tests/authorization_tests.cpp 54bfb46a807677f4a4a2bb88dcb78a358cf5121a 
> 
> Diff: https://reviews.apache.org/r/47891/diff/
> 
> 
> Testing
> -------
> 
> Tested on a range of Linux configurations on internal CI.
> 
> 
> Thanks,
> 
> Benjamin Bannier
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message