mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vinod Kone <vinodk...@gmail.com>
Subject Re: Review Request 58255: Added implicit authorization to the agent executor API.
Date Tue, 11 Apr 2017 18:33:36 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58255/#review171600
-----------------------------------------------------------




src/slave/http.cpp
Lines 699-701 (original), 727-729 (patched)
<https://reviews.apache.org/r/58255/#comment244546>

    move this after implicit authz to avoid leaking more information than necessary.



src/slave/http.cpp
Lines 732 (patched)
<https://reviews.apache.org/r/58255/#comment244545>

    a `principalContains` helper looks weird. can you just inline the helpers?
    
    you can probably just do
    
    ```
    if (principal.isSome() &&
        principal->claims["fid"] != call.framework_id().value()) {
    }    
    
    ```



src/slave/http.cpp
Lines 703-707 (original), 739-757 (patched)
<https://reviews.apache.org/r/58255/#comment244547>

    ditto. see above.


- Vinod Kone


On April 7, 2017, 3:45 a.m., Greg Mann wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58255/
> -----------------------------------------------------------
> 
> (Updated April 7, 2017, 3:45 a.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, and Till Toenshoff.
> 
> 
> Bugs: MESOS-7339
>     https://issues.apache.org/jira/browse/MESOS-7339
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This patch updates the agent handler for the executor API to
> verify the FrameworkID and ExecutorID contained within the
> executor's `Principal`, if present. This effectively performs
> implicit authorization of executor calls.
> 
> 
> Diffs
> -----
> 
>   src/slave/http.cpp b07ce7c73a90ef297d980806ebba9530d86f25ae 
> 
> 
> Diff: https://reviews.apache.org/r/58255/diff/1/
> 
> 
> Testing
> -------
> 
> Testing details can be found at the end of this chain.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message