mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vinod Kone <vinodk...@gmail.com>
Subject Re: Review Request 58254: Added implicit executor authorization to the agent operator API.
Date Tue, 11 Apr 2017 19:06:58 GMT


> On April 11, 2017, 12:27 a.m., Vinod Kone wrote:
> > src/authorizer/local/authorizer.cpp
> > Lines 725 (patched)
> > <https://reviews.apache.org/r/58254/diff/2/?file=1686563#file1686563line725>
> >
> >     Is this based on the assumption that claims subjects only come from executors
and not operators? What guarantees that?
> 
> Greg Mann wrote:
>     There's one use case this patch would not accommodate: if a custom authenticator
is used which sets both `Principal.value` and `Principal.claims`, and the local authorizer
is also used. In that case, an operator could authenticate such that this code would not authorize
their request correctly. To address this, I could add a check here for `!subject->has_value()`,
since only implicit executor authZ can handle subjects without a value, and the default JWT
authenticator does not set `Principal.value`.

Sounds good.


- Vinod


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/#review171506
-----------------------------------------------------------


On April 7, 2017, 11:25 p.m., Greg Mann wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58254/
> -----------------------------------------------------------
> 
> (Updated April 7, 2017, 11:25 p.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
> 
> 
> Bugs: MESOS-7014
>     https://issues.apache.org/jira/browse/MESOS-7014
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This patch updates the agent handlers for the LAUNCH_, WAIT_,
> and KILL_NESTED_CONTAINER calls of the operator API to set the
> `container_id` field within the authorization object,
> facilitating implicit executor authorization.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8

>   src/authorizer/local/authorizer.cpp e241edf4afa48d35dbbbb94d72e8e8690f5bedfc 
>   src/slave/http.cpp b07ce7c73a90ef297d980806ebba9530d86f25ae 
> 
> 
> Diff: https://reviews.apache.org/r/58254/diff/2/
> 
> 
> Testing
> -------
> 
> Testing details can be found at the end of this chain.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message