mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Mann <g...@mesosphere.io>
Subject Re: Review Request 58255: Added implicit authorization to the agent executor API.
Date Wed, 12 Apr 2017 07:30:03 GMT


> On April 11, 2017, 6:33 p.m., Vinod Kone wrote:
> > src/slave/http.cpp
> > Lines 732 (patched)
> > <https://reviews.apache.org/r/58255/diff/1/?file=1686365#file1686365line732>
> >
> >     a `principalContains` helper looks weird. can you just inline the helpers?
> >     
> >     you can probably just do
> >     
> >     
> >     ```
> >     if (principal.isSome() &&
> >         principal->claims["fid"] != call.framework_id().value()) {
> >     }    
> >     
> >     ```

The principal is `const`, and while it's more verbose I prefer the precision of using `.contains()`
to avoid potentially performing the check with an empty string, so I inlined the check that
way. Let me know what you think.


- Greg


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58255/#review171600
-----------------------------------------------------------


On April 12, 2017, 7:28 a.m., Greg Mann wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58255/
> -----------------------------------------------------------
> 
> (Updated April 12, 2017, 7:28 a.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, and Till Toenshoff.
> 
> 
> Bugs: MESOS-7339
>     https://issues.apache.org/jira/browse/MESOS-7339
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This patch updates the agent handler for the executor API to
> verify the FrameworkID and ExecutorID contained within the
> executor's `Principal`, if present. This effectively performs
> implicit authorization of executor calls.
> 
> 
> Diffs
> -----
> 
>   src/slave/http.cpp 468cf332d79ed7315ecf51955235735dec0a2df1 
> 
> 
> Diff: https://reviews.apache.org/r/58255/diff/2/
> 
> 
> Testing
> -------
> 
> Testing details can be found at the end of this chain.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message