> On June 10, 2014, 1:37 a.m., Adam B wrote: > > src/master/master.cpp, lines 1050-1051 > > <https://reviews.apache.org/r/22284/diff/2/?file=606172#file606172line1050> > > > > Please correct me if I'm misinterpreting the ReceiveOffers Message. > > In the master ACL: > > global-permissive: ANY Principal can ReceiveOffers for Role foo > > global-restrictive: NONE Principal can ReceiveOffers for Role foo > > But when calling authorize(ReceiveOffers request), > > Use ANY Principal when the framework has No Principal (framework > > authentication disabled?), since that's the only time this framework will > > still be authorized. > > Use NONE Principal never?!? > > Vinod Kone wrote: > The acls.permissive bit only comes into play when none of the ACLs that > were setup matches the authorization request. You can think of it as the > default case in a switch statement. > > An authorization request will likely never have "NONE". I can't imagine > why someone would ask that question from authorizer. > > In this particular case, we ask if ANY principal is allowed because the > framework didn't set its principal (eg. auth disabled and > FrameworkInfo.principal is not set). In the future, we might make > FrameworkInfo.principal 'required' instead of 'optional' in which case we > wont be making such request. For now we make it optional for smooth upgrade. > > Hope that clears things up.
Makes sense. Thanks for the explanation. - Adam ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/22284/#review45202 ----------------------------------------------------------- On June 10, 2014, 12:18 p.m., Vinod Kone wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/22284/ > ----------------------------------------------------------- > > (Updated June 10, 2014, 12:18 p.m.) > > > Review request for mesos, Benjamin Hindman and Ben Mahler. > > > Bugs: MESOS-1307 > https://issues.apache.org/jira/browse/MESOS-1307 > > > Repository: mesos-git > > > Description > ------- > > Added authorization for roles during framework (re-)registration. > > > Diffs > ----- > > src/master/flags.hpp 486335970ef05b345c5584ac012dde63437ef149 > src/master/master.hpp 26af1139a43a62b91712acd158b24a8977c81d3f > src/master/master.cpp c18ccc4a1770cd68e4c3cb4b5f8ab912515ab613 > src/tests/master_authorization_tests.cpp PRE-CREATION > > Diff: https://reviews.apache.org/r/22284/diff/ > > > Testing > ------- > > make check > > > Thanks, > > Vinod Kone > >
