----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/49201/#review139778 -----------------------------------------------------------
src/authorizer/local/authorizer.cpp (line 766) <https://reviews.apache.org/r/49201/#comment205122> I am not sure that list is up-to-date as is. Isn't for example quota missing? - Joerg Schad On June 28, 2016, 8:46 a.m., Alexander Rojas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/49201/ > ----------------------------------------------------------- > > (Updated June 28, 2016, 8:46 a.m.) > > > Review request for mesos, Adam B, Jan Schlicht, and Till Toenshoff. > > > Bugs: MESOS-5707 > https://issues.apache.org/jira/browse/MESOS-5707 > > > Repository: mesos > > > Description > ------- > > The fact that not all endpoints can be secure through ACLs, yet > the ACL is called `get_endpoints`, can be confusing for operators. > Therefore, if an operator tries to launch an agent/master with an > invalid configuration an error is generated. > > > Diffs > ----- > > src/authorizer/local/authorizer.cpp > 2c20a3069dc000b6674ac15046edd9213e79a632 > src/tests/authorization_tests.cpp 9b99da138fa27a725738d70bd99e889b108b44ae > > Diff: https://reviews.apache.org/r/49201/diff/ > > > Testing > ------- > > `make check` and following scripts: > > ```sh > #! /usr/bin/env bash > > rm -rf /tmp/mesos/* > > cat <<EOF > /tmp/credentials.txt > foo bar > baz bar > EOF > > cat <<EOF > /tmp/acls.json > { > "permissive": false, > "get_endpoints" : [ > { > "principals" : { "values" : ["foo"] }, > "paths" : { "values" : ["/frameworks"] } > } > ] > } > EOF > > # Fails to start up with a message saying that `/frameworks` > # ins't supported. > ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \ > --master=127.0.0.1:5050 \ > --authenticate_http \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > > ``` > > and > > > ```sh > #! /usr/bin/env bash > > rm -rf /tmp/mesos/* > > cat <<EOF > /tmp/credentials.txt > foo bar > baz bar > EOF > > cat <<EOF > /tmp/acls.json > { > "permissive": false, > "get_endpoints" : [ > { > "principals" : { "values" : ["foo"] }, > "paths" : { "values" : ["/monitor/statistics", > "/monitor/statistics.json", "/containers"] } > } > ] > } > EOF > > ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \ > --authenticate_http \ > --log_dir=/tmp/mesos/logs/master \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \ > --master=127.0.0.1:5050 \ > --authenticate_http \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > > # Following requests succeed (200 OK response) > http http://localhost:5051/monitor/statistics -a foo:bar > http http://localhost:5051/monitor/statistics.json -a foo:bar > http http://localhost:5051/monitor/containers -a foo:bar > > # Following requests fail (403 forbidden response) > http http://localhost:5051/monitor/statistics -a baz:bar > http http://localhost:5051/monitor/statistics.json -a baz:bar > http http://localhost:5051/monitor/containers -a baz:bar > > ``` > > > Thanks, > > Alexander Rojas > >
