Re: Review Request 49201: Added validation for the `get_endpoints` ACL.

Tue, 28 Jun 2016 01:47:27 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49201/
-----------------------------------------------------------

(Updated June 28, 2016, 1:46 a.m.)


Review request for mesos, Adam B, Jan Schlicht, and Till Toenshoff.


Bugs: MESOS-5707
    https://issues.apache.org/jira/browse/MESOS-5707


Repository: mesos


Description
-------

The fact that not all endpoints can be secure through ACLs, yet
the ACL is called `get_endpoints`, can be confusing for operators.
Therefore, if an operator tries to launch an agent/master with an
invalid configuration an error is generated.


Diffs
-----

  src/authorizer/local/authorizer.cpp 2c20a3069dc000b6674ac15046edd9213e79a632 
  src/tests/authorization_tests.cpp 9b99da138fa27a725738d70bd99e889b108b44ae 

Diff: https://reviews.apache.org/r/49201/diff/


Testing
-------

`make check` and following scripts:

```sh
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "get_endpoints" : [
   {
     "principals" : { "values" : ["foo"] },
     "paths" : { "values" : ["/frameworks"] }
   }
  ]
}
EOF

# Fails to start up with a message saying that `/frameworks`
# ins't supported.
./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
                     --master=127.0.0.1:5050 \
                     --authenticate_http \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &

```

and


```sh
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "get_endpoints" : [
   {
     "principals" : { "values" : ["foo"] },
     "paths" : { "values" : ["/monitor/statistics", "/monitor/statistics.json", 
"/containers"] }
   }
  ]
}
EOF

./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
                     --authenticate_http \
                     --log_dir=/tmp/mesos/logs/master \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &
./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
                     --master=127.0.0.1:5050 \
                     --authenticate_http \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &

# Following requests succeed (200 OK response)
http http://localhost:5051/monitor/statistics -a foo:bar
http http://localhost:5051/monitor/statistics.json -a foo:bar
http http://localhost:5051/monitor/containers -a foo:bar

# Following requests fail (403 forbidden response)
http http://localhost:5051/monitor/statistics -a baz:bar
http http://localhost:5051/monitor/statistics.json -a baz:bar
http http://localhost:5051/monitor/containers -a baz:bar

```


Thanks,

Alexander Rojas

Reply via email to