mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rojas <alexan...@mesosphere.io>
Subject Re: Review Request 49201: Added validation for the `get_endpoints` ACL.
Date Fri, 01 Jul 2016 09:48:47 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49201/
-----------------------------------------------------------

(Updated July 1, 2016, 11:48 a.m.)


Review request for mesos, Adam B, Jan Schlicht, and Till Toenshoff.


Bugs: MESOS-5707
    https://issues.apache.org/jira/browse/MESOS-5707


Repository: mesos


Description (updated)
-------

The fact that not all endpoints can be secure through ACLs, yet
the ACL is called `get_endpoints`, can be confusing for operators.
Therefore, if an operator tries to launch an agent/master with an
invalid configuration an error is generated.


Diffs (updated)
-----

  src/authorizer/local/authorizer.cpp aadb7f6f0889514060744a7eca96cda00639eb4e 
  src/common/http.hpp eb2d0156550b3ed90c7f72a2e1405efc45eab78a 
  src/common/http.cpp 2ef264fc886be50d2091dbe24ab422c818b5ee0b 
  src/slave/http.cpp 60a780c73ab517ff301e18790bb2568f8f9063d6 
  src/slave/slave.hpp 2afd7d152dcd2f5390014cd7bd4e926b62c292d1 
  src/tests/authorization_tests.cpp c1e8ea64bb9008163ae8f0488306687d0f63a527 
  src/tests/scheduler_driver_tests.cpp 217185780e3576faf633dd9629ae93a275fac284 

Diff: https://reviews.apache.org/r/49201/diff/


Testing
-------

`make check` and following scripts:

```sh
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "get_endpoints" : [
   {
     "principals" : { "values" : ["foo"] },
     "paths" : { "values" : ["/frameworks"] }
   }
  ]
}
EOF

# Fails to start up with a message saying that `/frameworks`
# ins't supported.
./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
                     --master=127.0.0.1:5050 \
                     --authenticate_http \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &

```

and


```sh
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "get_endpoints" : [
   {
     "principals" : { "values" : ["foo"] },
     "paths" : { "values" : ["/monitor/statistics", "/monitor/statistics.json", "/containers"]
}
   }
  ]
}
EOF

./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
                     --authenticate_http \
                     --log_dir=/tmp/mesos/logs/master \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &
./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
                     --master=127.0.0.1:5050 \
                     --authenticate_http \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &

# Following requests succeed (200 OK response)
http http://localhost:5051/monitor/statistics -a foo:bar
http http://localhost:5051/monitor/statistics.json -a foo:bar
http http://localhost:5051/monitor/containers -a foo:bar

# Following requests fail (403 forbidden response)
http http://localhost:5051/monitor/statistics -a baz:bar
http http://localhost:5051/monitor/statistics.json -a baz:bar
http http://localhost:5051/monitor/containers -a baz:bar

```


Thanks,

Alexander Rojas


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message