Re: Review Request 47795: Enabled authorization for sandboxes.

Wed, 25 May 2016 18:09:44 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47795/
-----------------------------------------------------------

(Updated May 26, 2016, 3:09 a.m.)


Review request for mesos, Adam B, Benjamin Mahler, Joerg Schad, Michael Park, 
and Vinod Kone.


Bugs: MESOS-5153
    https://issues.apache.org/jira/browse/MESOS-5153


Repository: mesos


Description
-------

Enables authorization of the sandboxes using the callback function
parameter of `Files::attach()`.

It also adds relevant ACLs and support on the authorizer interface.


Diffs (updated)
-----

  include/mesos/authorizer/acls.proto b178f53a299a2941afc073af963f6aff26af1ca8 
  include/mesos/authorizer/authorizer.proto 
911a2271211249a41c4467f6754e9996f640bf38 
  src/authorizer/local/authorizer.cpp dc53bc4374aea98b5ed41ade5617374d2447229b 
  src/slave/slave.hpp 0de6a570e8b4699771048295ec3fcedf84593495 
  src/slave/slave.cpp 470b5c82ea6ff01d799b06245609725853300ef1 

Diff: https://reviews.apache.org/r/47795/diff/


Testing
-------

on OSX the script:

```bash
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "access_sandboxes" : [
    {
      "principals" : { "values" : ["foo"] },
      "users" : { "values" : ["$USER"] }
    }
  ]
}
EOF

./bin/mesos-master.sh --work_dir=/tmp/mesos/master &
./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
                     --master=127.0.0.1:5050 \
                     --authenticate_http \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &

./src/mesos-execute \
  --command='while true; do echo "Hello world"; sleep 3; done' \
  --role=test \
  --master=127.0.0.1:5050 \
  --name=echoer &

SANDBOX_VPATH=`http GET http://127.0.0.1:5051/files/debug -a foo:bar -b  
--pretty=none \
     | python -c 'import json,sys;obj=json.load(sys.stdin);print obj.keys()[0]'`

# This should yield a 200 OK response
http GET http://127.0.0.1:5051/files/download?path=${SANDBOX_VPATH}/stdout -a 
foo:bar

# HTTP/1.1 200 OK
# Content-Disposition: attachment; filename=stdout
# Content-Length: 3267
# Content-Type: application/octet-stream
# Date: Fri, 20 May 2016 13:52:31 GMT
#
# Received SUBSCRIBED event
# Subscribed executor on localhost
# Received LAUNCH event
# Starting task echoer
# sh -c 'while true; do echo "Hello world"; sleep 3; done'
# Forked command at 26162
# Hello world
# Hello world
# Hello world
# Hello world
# Hello world

# This shold yield a 403 Forbidden response
http GET http://127.0.0.1:5051/files/download?path=${SANDBOX_VPATH}/stdout -a 
baz:bar

# HTTP/1.1 403 Forbidden
# Content-Length: 0
# Date: Fri, 20 May 2016 13:52:37 GMT
#
#
#


```


Thanks,

Alexander Rojas

Reply via email to