Re: Review Request 36927: Pulled apart authorization and authentication validation for frameworks in the master.

Wed, 29 Jul 2015 17:58:11 -0700 


> On July 30, 2015, 12:49 a.m., Vinod Kone wrote:
> > src/master/master.cpp, lines 1757-1779
> > <https://reviews.apache.org/r/36927/diff/1/?file=1024921#file1024921line1757>
> >
> >     checking validationError.isNone() in each if statement looks a bit 
> > weird. how about doing these in an else if instead?
> >     
> >     if (frameworkInfo.has_id() && !(frameworkInfo.id() == "")) {
> >     
> >     } else if (!roles.contains(frameworkInfo.role()) {
> >     
> >     } else if (frameworkInfo.user() == "root" && !flags.root_submissions) {
> >     
> >     } else {
> >     
> >     }
> >     
> >     
> >     i think the above is easier to read?

That's originally what I did, but it's harder to read that way. It looks saner 
in your example because you used empty blocks. Here is what it would actually 
look like:

```
  // TODO(vinod): Add "!=" operator for FrameworkID.
  if (frameworkInfo.has_id() && !(frameworkInfo.id() == "")) {
    validationError = Error("Registering with 'id' already set");
  } else if (!roles.contains(frameworkInfo.role())) {
    // TODO(vinod): Deprecate this in favor of ACLs.
    validationError = Error("Role '" + frameworkInfo.role() + "' is not" +
                            " present in the master's --roles");
  } else if (frameworkInfo.user() == "root" && !flags.root_submissions) {
    // TODO(vinod): Deprecate this in favor of authorization.
    validationError = Error("User 'root' is not allowed to run frameworks"
        " without --root_submissions set");
  }
```

Also the it doesn't work so nicely for reregister because one of the checks 
requires looping through framework ids.


- Ben


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/36927/#review93532
-----------------------------------------------------------


On July 29, 2015, 11:52 p.m., Ben Mahler wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/36927/
> -----------------------------------------------------------
> 
> (Updated July 29, 2015, 11:52 p.m.)
> 
> 
> Review request for mesos and Vinod Kone.
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Framework authorization is now done through `authorizeFramework` which is 
> consistent with `authorizeTask`.
> Also, `validateFrameworkAuthentication` captures the validation for 
> authentication.
> 
> I also made registration and re-registration consistent:
> 
> * Both perform the check for root submission, rather than just registration.
> * Authentication checks in `_registerFramework` and `_reregisterFramework` 
> are now comprehensive (thanks to `validateFrameworkAuthentication`).
> 
> 
> Diffs
> -----
> 
>   src/master/master.hpp 1135049d34f8ed4d56c795ad28c9ca1d07237b63 
>   src/master/master.cpp 2bfec2f69375444925252480142ee409b8474761 
> 
> Diff: https://reviews.apache.org/r/36927/diff/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Ben Mahler
> 
>

Reply via email to