----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47795/#review134952 -----------------------------------------------------------
authorizeSandbox() needs to take the FrameworkId, since executorIds are not globally unique. include/mesos/authorizer/acls.proto (lines 183 - 184) <https://reviews.apache.org/r/47795/#comment199928> "... sandboxes of executors running as the given users." include/mesos/authorizer/acls.proto (line 237) <https://reviews.apache.org/r/47795/#comment199929> You'll need to rebase and pick a new number now that Joerg's actions have landed. include/mesos/authorizer/authorizer.proto (lines 74 - 75) <https://reviews.apache.org/r/47795/#comment199930> "`ACCESS_SANDBOX` will have an object with `ExecutorInfo` and `FrameworkInfo` set." And you'll need to get a new enum value after rebase too. src/authorizer/local/authorizer.cpp (line 19) <https://reviews.apache.org/r/47795/#comment199931> unused src/authorizer/local/authorizer.cpp (line 47) <https://reviews.apache.org/r/47795/#comment199932> unused src/authorizer/local/authorizer.cpp (line 295) <https://reviews.apache.org/r/47795/#comment199935> else Error? else return false/permissive? src/slave/slave.cpp (line 118) <https://reviews.apache.org/r/47795/#comment199933> unused src/slave/slave.cpp (lines 5388 - 5389) <https://reviews.apache.org/r/47795/#comment199936> BUG: This is not good enough. An executorId is only unique within a given framework. Two Kafka frameworks might both use the same executorId, but launch with different roles/users/labels. This code would pick the first framework with a matching executorId, rather than the right one. You're really going to need to pass the FrameworkId to `authorizeSandboxAccess()` too. - Adam B On May 25, 2016, 6:09 p.m., Alexander Rojas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/47795/ > ----------------------------------------------------------- > > (Updated May 25, 2016, 6:09 p.m.) > > > Review request for mesos, Adam B, Benjamin Mahler, Joerg Schad, Michael Park, > and Vinod Kone. > > > Bugs: MESOS-5153 > https://issues.apache.org/jira/browse/MESOS-5153 > > > Repository: mesos > > > Description > ------- > > Enables authorization of the sandboxes using the callback function > parameter of `Files::attach()`. > > It also adds relevant ACLs and support on the authorizer interface. > > > Diffs > ----- > > include/mesos/authorizer/acls.proto > b178f53a299a2941afc073af963f6aff26af1ca8 > include/mesos/authorizer/authorizer.proto > 911a2271211249a41c4467f6754e9996f640bf38 > src/authorizer/local/authorizer.cpp > dc53bc4374aea98b5ed41ade5617374d2447229b > src/slave/slave.hpp 0de6a570e8b4699771048295ec3fcedf84593495 > src/slave/slave.cpp 470b5c82ea6ff01d799b06245609725853300ef1 > > Diff: https://reviews.apache.org/r/47795/diff/ > > > Testing > ------- > > on OSX the script: > > ```bash > #! /usr/bin/env bash > > rm -rf /tmp/mesos/* > > cat <<EOF > /tmp/credentials.txt > foo bar > baz bar > EOF > > cat <<EOF > /tmp/acls.json > { > "permissive": false, > "access_sandboxes" : [ > { > "principals" : { "values" : ["foo"] }, > "users" : { "values" : ["$USER"] } > } > ] > } > EOF > > ./bin/mesos-master.sh --work_dir=/tmp/mesos/master & > ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \ > --master=127.0.0.1:5050 \ > --authenticate_http \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > > ./src/mesos-execute \ > --command='while true; do echo "Hello world"; sleep 3; done' \ > --role=test \ > --master=127.0.0.1:5050 \ > --name=echoer & > > SANDBOX_VPATH=`http GET http://127.0.0.1:5051/files/debug -a foo:bar -b > --pretty=none \ > | python -c 'import json,sys;obj=json.load(sys.stdin);print > obj.keys()[0]'` > > # This should yield a 200 OK response > http GET http://127.0.0.1:5051/files/download?path=${SANDBOX_VPATH}/stdout -a > foo:bar > > # HTTP/1.1 200 OK > # Content-Disposition: attachment; filename=stdout > # Content-Length: 3267 > # Content-Type: application/octet-stream > # Date: Fri, 20 May 2016 13:52:31 GMT > # > # Received SUBSCRIBED event > # Subscribed executor on localhost > # Received LAUNCH event > # Starting task echoer > # sh -c 'while true; do echo "Hello world"; sleep 3; done' > # Forked command at 26162 > # Hello world > # Hello world > # Hello world > # Hello world > # Hello world > > # This shold yield a 403 Forbidden response > http GET http://127.0.0.1:5051/files/download?path=${SANDBOX_VPATH}/stdout -a > baz:bar > > # HTTP/1.1 403 Forbidden > # Content-Length: 0 > # Date: Fri, 20 May 2016 13:52:37 GMT > # > # > # > > > ``` > > > Thanks, > > Alexander Rojas > >