mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam B <a...@mesosphere.io>
Subject Re: Review Request 56178: Enabled the authorizer to work with MULTI_ROLE frameworks.
Date Thu, 09 Feb 2017 07:53:36 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56178/#review164868
-----------------------------------------------------------



Thanks for your patience. Just a few more minor concerns.


src/master/master.cpp (lines 2175 - 2176)
<https://reviews.apache.org/r/56178/#comment236707>

    s/cannot be used to authorize `MULTI_ROLE` frameworks/will get an empty string value for
`MULTI_ROLE` frameworks/



src/master/master.cpp (line 2177)
<https://reviews.apache.org/r/56178/#comment236705>

    This could use a reference to MESOS-7073 (especially if we remove the other reference
in LocalAuthorizer)



src/master/master.cpp (lines 2178 - 2179)
<https://reviews.apache.org/r/56178/#comment236708>

    Why not check `if(protobuf::framework::getRoles(frameworkInfo).size() <= 1)` instead
of checking the capability? A legacy authorizer could still authorize a multi-role-capable
framework if it's only trying to register with a single role.


- Adam B


On Feb. 7, 2017, 2:26 a.m., Benjamin Bannier wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56178/
> -----------------------------------------------------------
> 
> (Updated Feb. 7, 2017, 2:26 a.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, and Benjamin Mahler.
> 
> 
> Bugs: MESOS-7022
>     https://issues.apache.org/jira/browse/MESOS-7022
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This updates the local authorizer so that MULTI_ROLE frameworks can be
> authorized.
> 
> For non-MULTI_ROLE frameworks we continue to support use of the
> deprecated 'value' field in the authorization request's 'Object';
> however for MULTI_ROLE frameworks the 'value' field will not be set,
> and authorizers still relying on it should be updated to instead use
> the object's 'framework_info' field to extract roles to authorize
> against from.
> 
> 
> Diffs
> -----
> 
>   src/authorizer/local/authorizer.cpp b98e1fcdf2ee5ec1f6ac0be6f8accdefaa390a09 
>   src/master/master.cpp 98c39b279e7b9830d02efc8ec6a4469afc15d62a 
> 
> Diff: https://reviews.apache.org/r/56178/diff/
> 
> 
> Testing
> -------
> 
> Tested on various configurations in internal CI.
> 
> 
> Thanks,
> 
> Benjamin Bannier
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message