> On June 27, 2016, 11:11 p.m., Vinod Kone wrote: > > src/authorizer/local/authorizer.cpp, lines 765-770 > > <https://reviews.apache.org/r/49201/diff/2/?file=1430956#file1430956line765> > > > > i'm afraid this will be hard to keep this hashset in sync with the > > reality. is there a way to enforce that this is up to date? > > Alexander Rojas wrote: > As things are implemented right now, there is no way to enforce that the > list is up to date. While a couple of endpoints (`/logging/toggle` and > `/metrics/snapshot`) use the `createAuthorizationCallbacks()` function, and > therefore a central registry in the way of the returned callbacks. > Application level methods either do it manually or through the helper > function `Slave::Http::authorizeEndpoint`. So really, the `validPaths` here > would be the ultimate source of truth unless we redesign the whole system.
AFAICT, `authorizeEndpoint()` and `createAuthorizationCallbacks()` are the only two methods (three if you consider the former in both master and slave) that need access to this map, in addition to the local authorizer. I don't see any other methods that verify this authorization manually? So I would suggest to have a `AUTHORIZABLE_ENDPOINTS` in common/http.cpp and have the above two functions (and local authorizer) check that the path being authorized is a valid path. Note that this helps us being defensive against the case when using custom authorizer is being used. Also, this merits a comment in authorizer.proto. - Vinod ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/49201/#review139690 ----------------------------------------------------------- On June 28, 2016, 8:46 a.m., Alexander Rojas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/49201/ > ----------------------------------------------------------- > > (Updated June 28, 2016, 8:46 a.m.) > > > Review request for mesos, Adam B, Jan Schlicht, and Till Toenshoff. > > > Bugs: MESOS-5707 > https://issues.apache.org/jira/browse/MESOS-5707 > > > Repository: mesos > > > Description > ------- > > The fact that not all endpoints can be secure through ACLs, yet > the ACL is called `get_endpoints`, can be confusing for operators. > Therefore, if an operator tries to launch an agent/master with an > invalid configuration an error is generated. > > > Diffs > ----- > > src/authorizer/local/authorizer.cpp > 2c20a3069dc000b6674ac15046edd9213e79a632 > src/tests/authorization_tests.cpp 9b99da138fa27a725738d70bd99e889b108b44ae > > Diff: https://reviews.apache.org/r/49201/diff/ > > > Testing > ------- > > `make check` and following scripts: > > ```sh > #! /usr/bin/env bash > > rm -rf /tmp/mesos/* > > cat <<EOF > /tmp/credentials.txt > foo bar > baz bar > EOF > > cat <<EOF > /tmp/acls.json > { > "permissive": false, > "get_endpoints" : [ > { > "principals" : { "values" : ["foo"] }, > "paths" : { "values" : ["/frameworks"] } > } > ] > } > EOF > > # Fails to start up with a message saying that `/frameworks` > # ins't supported. > ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \ > --master=127.0.0.1:5050 \ > --authenticate_http \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > > ``` > > and > > > ```sh > #! /usr/bin/env bash > > rm -rf /tmp/mesos/* > > cat <<EOF > /tmp/credentials.txt > foo bar > baz bar > EOF > > cat <<EOF > /tmp/acls.json > { > "permissive": false, > "get_endpoints" : [ > { > "principals" : { "values" : ["foo"] }, > "paths" : { "values" : ["/monitor/statistics", > "/monitor/statistics.json", "/containers"] } > } > ] > } > EOF > > ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \ > --authenticate_http \ > --log_dir=/tmp/mesos/logs/master \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \ > --master=127.0.0.1:5050 \ > --authenticate_http \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > > # Following requests succeed (200 OK response) > http http://localhost:5051/monitor/statistics -a foo:bar > http http://localhost:5051/monitor/statistics.json -a foo:bar > http http://localhost:5051/monitor/containers -a foo:bar > > # Following requests fail (403 forbidden response) > http http://localhost:5051/monitor/statistics -a baz:bar > http http://localhost:5051/monitor/statistics.json -a baz:bar > http http://localhost:5051/monitor/containers -a baz:bar > > ``` > > > Thanks, > > Alexander Rojas > >
