> On June 28, 2016, 10:51 p.m., Vinod Kone wrote: > > src/master/http.cpp, lines 1241-1262 > > <https://reviews.apache.org/r/49313/diff/1/?file=1431790#file1431790line1241> > > > > flags specific authorization should be done in `_flags()` so that the > > v1 API can get the benefit automatically. > > > > please move this logic inside `_flags()`. you might need to adjust its > > return type and add a `__flags()`. > > Alexander Rojas wrote: > The main problem with this suggestion is, `_flags` return type is > `JSON::Object`, which means it is supposed to be called synchronously by both > `flags()` and `getFlags()`. > > If I were to make `_flags()` async, the return type would be > `Future<JSON::Object>` but then, how do I encode the fact that I must return > `Forbidden`? I could make `_flags()` return a `Future<Response>` but then it > would not be different from `flags()`, moreover `getFlags()` expects a > `JSON::Object` since it evolves it to a `v1::master::Response`, so it > shouldn't take a `Future<Response>`. > > My solution would be to use the same code in `getFlags()` to perform > authorization. > > Alexander Rojas wrote: > I added a patch implementing the solution I described > [r/49363/](https://reviews.apache.org/r/49363/)
`_flags()` returning `Future<Response>` is fine. `flags()` still needs to deal with the REST specific things like METHOD check and jsonp. I prefer that than duplicating authz code in `flags()` and `getFlags()`. - Vinod ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/49313/#review139886 ----------------------------------------------------------- On June 29, 2016, 8:44 a.m., Alexander Rojas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/49313/ > ----------------------------------------------------------- > > (Updated June 29, 2016, 8:44 a.m.) > > > Review request for mesos, Adam B, Joerg Schad, Till Toenshoff, and Vinod Kone. > > > Bugs: MESOS-5705 > https://issues.apache.org/jira/browse/MESOS-5705 > > > Repository: mesos > > > Description > ------- > > Adds again authorization for flags. Instead of being part of > `get_endpoints` it uses its own action `VIEW_TASKS` which is > used to restrict access to the `/flags` endpoint, as well as > to filter the results of the `/state` endpoint on both master > and agents. > > > Diffs > ----- > > include/mesos/authorizer/acls.proto > a6d93cd2cb9161a98565b22e50b06aac4931a671 > include/mesos/authorizer/authorizer.proto > fc76796022a6fa3d36a1447c476980868d42c2d0 > src/authorizer/local/authorizer.cpp > 3fade4168face1cb80b30c9b69b31d9eb4126222 > src/common/http.hpp 55bd0ac81af80c656a4a80766a3e4b21db9cf0cf > src/common/http.cpp 95e8fb672b49a00860c64f818cc734fa22cf3516 > src/master/http.cpp 311db1a9400ab533f4536e7a7412122275a7044d > src/slave/http.cpp 44d8cc98c0c1ada9d5313a3fe5c66029c9c373c6 > src/tests/authorization_tests.cpp 9b99da138fa27a725738d70bd99e889b108b44ae > src/tests/master_authorization_tests.cpp > 9088d7df901ad9e0b3c43a3ea61882054f55ee93 > src/tests/slave_authorization_tests.cpp > 78221e200d9b7880cc474f1acef92c5dec1c8e25 > > Diff: https://reviews.apache.org/r/49313/diff/ > > > Testing > ------- > > - `make check` > - manual tests with browsers. > - Used the script: > > ```sh > #! /usr/bin/env bash > > rm -rf /tmp/mesos/* > > cat <<EOF > /tmp/credentials.txt > foo bar > baz bar > EOF > > cat <<EOF > /tmp/acls.json > { > "permissive": false, > "view_flags" : [ > { > "principals" : { "values" : ["foo"] }, > "flags" : { "type" : "ANY" } > }, > { > "principals" : { "values" : ["foo"] }, > "flags" : { "type" : "NONE" } > } > ] > } > EOF > > ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \ > --authenticate_http \ > --log_dir=/tmp/mesos/logs/master \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \ > --master=127.0.0.1:5050 \ > --authenticate_http \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > > # Returns a 200 OK Response with the contents of the flags > # in JSON object > http GET http://127.0.0.1:5050/flags -a foo:bar > http GET http://127.0.0.1:5051/flags -a foo:bar > > # Returned JSON contains a `flags` entry with all the flags. > http GET http://127.0.0.1:5050/state -a foo:bar > http GET http://127.0.0.1:5051/state -a foo:bar > > # 403 Forbidden response > http GET http://127.0.0.1:5050/flags -a baz:bar > http GET http://127.0.0.1:5051/flags -a baz:bar > > # Returned JSON doesn't include flags information. > http GET http://127.0.0.1:5050/state -a baz:bar > http GET http://127.0.0.1:5051/state -a baz:bar > ``` > > > Thanks, > > Alexander Rojas > >
