Repository: mesos Updated Branches: refs/heads/master 5263a6211 -> 53b5164bb
Added documentation for access_sandboxes and access_mesos_logs acls. Modifies the file `acls.proto` to take into consideration the added authorization actions `access_sandboxes` and `access_mesos_logs`. Review: https://reviews.apache.org/r/48048/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/53b5164b Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/53b5164b Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/53b5164b Branch: refs/heads/master Commit: 53b5164bb51ebe850dec5ab19b8382f5c4a59391 Parents: 5263a62 Author: Alexander Rojas <alexan...@mesosphere.io> Authored: Tue May 31 23:20:50 2016 -0700 Committer: Adam B <a...@mesosphere.io> Committed: Tue May 31 23:24:55 2016 -0700 ---------------------------------------------------------------------- docs/authorization.md | 2 ++ src/files/files.cpp | 34 +++++++++++++++++++++++++++++++--- 2 files changed, 33 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/53b5164b/docs/authorization.md ---------------------------------------------------------------------- diff --git a/docs/authorization.md b/docs/authorization.md index 0e58b9b..189b70d 100644 --- a/docs/authorization.md +++ b/docs/authorization.md @@ -131,6 +131,8 @@ entries, each representing an authorizable action: |`view_framework`|UNIX user of whom executors can be viewed.|`Framework_Info` which can be viewed.|Filtering http endpoints.| |`view_executor`|UNIX user of whom executors can be viewed.|`Executor_Info` and `Framework_Info` which can be viewed.|Filtering http endpoints.| |`view_task`|UNIX user of whom tasks can be viewed.|(`Task` or `Task_Info`) and `Framework_Info` which can be viewed.|Filtering http endpoints.| +|`access_sandboxes`|Operator username.|Operating system user whose executor/task sandboxes can be accessed.|Access task sandboxes.| +|`access_mesos_logs`|Operator username.|Implicitly given. A user should only use types ANY and NONE to allow/deny access to the log.|Access Mesos logs.| ### Examples http://git-wip-us.apache.org/repos/asf/mesos/blob/53b5164b/src/files/files.cpp ---------------------------------------------------------------------- diff --git a/src/files/files.cpp b/src/files/files.cpp index 873664d..094a00c 100644 --- a/src/files/files.cpp +++ b/src/files/files.cpp @@ -57,6 +57,7 @@ using namespace process; using process::AUTHENTICATION; +using process::AUTHORIZATION; using process::DESCRIPTION; using process::HELP; using process::TLDR; @@ -295,7 +296,16 @@ const string FilesProcess::BROWSE_HELP = HELP( "Query parameters:", "", "> path=VALUE The path of directory to browse."), - AUTHENTICATION(true)); + AUTHENTICATION(true), + AUTHORIZATION( + "Browsing files requires that the request principal is ", + "authorized to do so for the target virtual file path.", + "", + "Authorizers may categorize different virtual paths into", + "different ACLs, e.g. logs in one and task sandboxes in", + "another.", + "", + "See authorization documentation for details.")); Future<bool> FilesProcess::authorize( @@ -409,7 +419,16 @@ const string FilesProcess::READ_HELP = HELP( "> offset=VALUE Value added to base address to obtain " "a second address", "> length=VALUE Length of file to read."), - AUTHENTICATION(true)); + AUTHENTICATION(true), + AUTHORIZATION( + "Reading files requires that the request principal is ", + "authorized to do so for the target virtual file path.", + "", + "Authorizers may categorize different virtual paths into", + "different ACLs, e.g. logs in one and task sandboxes in", + "another.", + "", + "See authorization documentation for details.")); Future<Response> FilesProcess::read( @@ -585,7 +604,16 @@ const string FilesProcess::DOWNLOAD_HELP = HELP( "Query parameters:", "", "> path=VALUE The path of directory to browse."), - AUTHENTICATION(true)); + AUTHENTICATION(true), + AUTHORIZATION( + "Downloading files requires that the request principal is ", + "authorized to do so for the target virtual file path.", + "", + "Authorizers may categorize different virtual paths into", + "different ACLs, e.g. logs in one and task sandboxes in", + "another.", + "", + "See authorization documentation for details.")); Future<Response> FilesProcess::download(
