mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam B <a...@mesosphere.io>
Subject Re: Review Request 43199: Updated authorization documentation.
Date Wed, 10 Feb 2016 08:06:00 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43199/#review118611
-----------------------------------------------------------


Fix it, then Ship it!




Just a few clarification questions, but it looks good to me.


docs/authorization.md (line 83)
<https://reviews.apache.org/r/43199/#comment179893>

    I was surprised by this new part of the scenario, since you introduce the original only
as a "scenario in which the accounting department launches a framework".
    Please introduce it as an extension of the previous scenario and start a new bullet list.
    Or say "scenario in which the accounting department launches a framework and then tries
to destroy a persistent volume"



docs/authorization.md (line 89)
<https://reviews.apache.org/r/43199/#comment179896>

    "operating system user" still isn't quite right to me, especially in light of the abstraction
of a "datacenter operating system", in which case this is not the "dcos user", but the linux(/windows)
user on the local machine where the task is actually run. I'd prefer something more like the
"agent machine's operating system userid", but that's so long. I was thinking "agent linux
user" but I suppose it could be a windows user. "Agent local userid"?



docs/authorization.md (line 185)
<https://reviews.apache.org/r/43199/#comment179897>

    Does this mean that no other principal can register a framework at all? Or can they still
register a framework with role '*'?



docs/authorization.md (lines 220 - 221)
<https://reviews.apache.org/r/43199/#comment179898>

    Would be kinda nice if the permissive bit could apply per-action instead of only globally.
Amirite?



docs/authorization.md (line 233)
<https://reviews.apache.org/r/43199/#comment179899>

    What about unauthenticated frameworks that don't have principals?


- Adam B


On Feb. 9, 2016, 4:32 p.m., Greg Mann wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43199/
> -----------------------------------------------------------
> 
> (Updated Feb. 9, 2016, 4:32 p.m.)
> 
> 
> Review request for mesos, Neil Conway and Vinod Kone.
> 
> 
> Bugs: MESOS-4452
>     https://issues.apache.org/jira/browse/MESOS-4452
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Updated authorization documentation.
> 
> Added information about the distinction between roles and principals, as well as a real-world
authorization example.
> 
> 
> Diffs
> -----
> 
>   docs/authorization.md dbbfd60cb35cbb67e47b6a468d4f4ab824981e5d 
> 
> Diff: https://reviews.apache.org/r/43199/diff/
> 
> 
> Testing
> -------
> 
> Viewed in the mesos website container: https://github.com/mesosphere/mesos-website-container
> 
> 
> Thanks,
> 
> Greg Mann
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message