This is an automated email from the ASF dual-hosted git repository.
grag pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
The following commit(s) were added to refs/heads/master by this push:
new a1bfa74 Fixed broken authorization in the CSI server.
a1bfa74 is described below
commit a1bfa749e594bd8d9eb008ea4d90e6811f5f7e07
Author: Greg Mann <g...@mesosphere.io>
AuthorDate: Mon Aug 31 13:02:18 2020 -0700
Fixed broken authorization in the CSI server.
The CSI server must use a principal when authenticating
which contains a claim that allows the authorizer to
implicitly approve requests from the CSI server to the
agent's HTTP API.
Review: https://reviews.apache.org/r/72816/
---
src/slave/csi_server.cpp | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/slave/csi_server.cpp b/src/slave/csi_server.cpp
index 3f29a81..14fa866 100644
--- a/src/slave/csi_server.cpp
+++ b/src/slave/csi_server.cpp
@@ -73,6 +73,8 @@ namespace mesos {
namespace internal {
namespace slave {
+constexpr char DEFAULT_CSI_CONTAINER_PREFIX[] = "mesos-internal-csi-";
+
static VolumeState createVolumeState(
const Volume::Source::CSIVolume::StaticProvisioning& volume);
@@ -232,7 +234,7 @@ Try<Nothing> CSIServerProcess::initializePlugin(const
Option<string>& name)
rootDir,
info,
extractServices(info),
- "org-apache-mesos-internal-",
+ DEFAULT_CSI_CONTAINER_PREFIX,
authToken,
plugin.runtime,
&plugin.metrics));
@@ -317,7 +319,9 @@ Future<Nothing> CSIServerProcess::start(const SlaveID&
_agentId)
// The contents of this principal are arbitrary. We choose to avoid a
// principal with a 'value' string so that we do not unintentionally
collide
// with another real principal with restricted permissions.
- Principal principal(Option<string>::none(), {{"key", "csi-server"}});
+ Principal principal(
+ Option<string>::none(),
+ {{"cid_prefix", DEFAULT_CSI_CONTAINER_PREFIX}});
result = secretGenerator->generate(principal)
.then(defer(self(), [=](const Secret& secret) -> Future<Nothing> {
