This is an automated email from the ASF dual-hosted git repository. grag pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
The following commit(s) were added to refs/heads/master by this push: new a1bfa74 Fixed broken authorization in the CSI server. a1bfa74 is described below commit a1bfa749e594bd8d9eb008ea4d90e6811f5f7e07 Author: Greg Mann <g...@mesosphere.io> AuthorDate: Mon Aug 31 13:02:18 2020 -0700 Fixed broken authorization in the CSI server. The CSI server must use a principal when authenticating which contains a claim that allows the authorizer to implicitly approve requests from the CSI server to the agent's HTTP API. Review: https://reviews.apache.org/r/72816/ --- src/slave/csi_server.cpp | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/slave/csi_server.cpp b/src/slave/csi_server.cpp index 3f29a81..14fa866 100644 --- a/src/slave/csi_server.cpp +++ b/src/slave/csi_server.cpp @@ -73,6 +73,8 @@ namespace mesos { namespace internal { namespace slave { +constexpr char DEFAULT_CSI_CONTAINER_PREFIX[] = "mesos-internal-csi-"; + static VolumeState createVolumeState( const Volume::Source::CSIVolume::StaticProvisioning& volume); @@ -232,7 +234,7 @@ Try<Nothing> CSIServerProcess::initializePlugin(const Option<string>& name) rootDir, info, extractServices(info), - "org-apache-mesos-internal-", + DEFAULT_CSI_CONTAINER_PREFIX, authToken, plugin.runtime, &plugin.metrics)); @@ -317,7 +319,9 @@ Future<Nothing> CSIServerProcess::start(const SlaveID& _agentId) // The contents of this principal are arbitrary. We choose to avoid a // principal with a 'value' string so that we do not unintentionally collide // with another real principal with restricted permissions. - Principal principal(Option<string>::none(), {{"key", "csi-server"}}); + Principal principal( + Option<string>::none(), + {{"cid_prefix", DEFAULT_CSI_CONTAINER_PREFIX}}); result = secretGenerator->generate(principal) .then(defer(self(), [=](const Secret& secret) -> Future<Nothing> {