[jira] [Commented] (MESOS-5369) Coarse-grained authorization of endpoints is supported only for short url paths.

Thu, 12 May 2016 07:02:46 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-5369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15281535#comment-15281535
 ] 

Alexander Rojas commented on MESOS-5369:
----------------------------------------

We faced this issue while implementing the firewall. Some solutions were 
proposed:

# Add a regex library (was discarded because it will add another binary third 
party dependency and GCC didn’t yet had support for C++11 regex).
# Implement our own wildcard mechanism (discarded because it added extra 
abstractions into Mesos codebase).

Finally we just add an MVP requirement of knowing the suffix of the process you 
wanted to hit. The idea was to postpone the final solution to a next iteration, 
through in truth, we never got to that.

> Coarse-grained authorization of endpoints is supported only for short url 
> paths.
> --------------------------------------------------------------------------------
>
>                 Key: MESOS-5369
>                 URL: https://issues.apache.org/jira/browse/MESOS-5369
>             Project: Mesos
>          Issue Type: Bug
>    Affects Versions: 0.29.0
>            Reporter: Alexander Rukletsov
>              Labels: authorization, mesosphere, security
>
> For coarse-grained authorization actions, e.g., {{GET_ENDPOINT_WITH_PATH}}, 
> we currently pass the short version of the url path, i.e., {{/state}} instead 
> of {{/master/state}}, to the authorizer in some cases. This means that ACLs 
> for local authorizer will not work as expected if absolute paths are used. 
> Moreover, both local and modularized authorizers should be able to understand 
> both short url paths for endpoints that belong to the "major" actor process 
> (e.g., master, agent) and absolute url paths for all other actors (e.g., 
> {{/files/browse}}, {{/metrics/snapshot}}.
> One possible solution is to pass absolute paths to authorizers and let them 
> do the necessary processing, e.g., removing agent id from 
> {{/slave(id)/state}}. This will also require normalizing endpoints from ACLs 
> to absolute path form, similarly as we have done in MESOS-3143. Additionally 
> this solution removes ambiguity which may arise for same endpoints belonging 
> to different actors, e.g., {{/master/flags}} vs. {{/slave/flags}}.
> Here are some code snippets to illustrate the problem and the reasons:
> * 
> https://github.com/apache/mesos/blob/eaf0d3461b3f17c9037490e873f114c2ee1c14d9/src/slave/http.cpp#L824-L833
> * 
> https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/3rdparty/libprocess/src/process.cpp#L2398
> * 
> https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/src/master/main.cpp#L247
> * 
> https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/3rdparty/libprocess/src/process.cpp#L2875



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to