Re: Review Request 56178: Enabled the authorizer to work with MULTI_ROLE frameworks.

Wed, 08 Feb 2017 23:54:07 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/56178/#review164868
-----------------------------------------------------------



Thanks for your patience. Just a few more minor concerns.


src/master/master.cpp (lines 2175 - 2176)
<https://reviews.apache.org/r/56178/#comment236707>

    s/cannot be used to authorize `MULTI_ROLE` frameworks/will get an empty 
string value for `MULTI_ROLE` frameworks/



src/master/master.cpp (line 2177)
<https://reviews.apache.org/r/56178/#comment236705>

    This could use a reference to MESOS-7073 (especially if we remove the other 
reference in LocalAuthorizer)



src/master/master.cpp (lines 2178 - 2179)
<https://reviews.apache.org/r/56178/#comment236708>

    Why not check `if(protobuf::framework::getRoles(frameworkInfo).size() <= 
1)` instead of checking the capability? A legacy authorizer could still 
authorize a multi-role-capable framework if it's only trying to register with a 
single role.


- Adam B


On Feb. 7, 2017, 2:26 a.m., Benjamin Bannier wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/56178/
> -----------------------------------------------------------
> 
> (Updated Feb. 7, 2017, 2:26 a.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, and Benjamin Mahler.
> 
> 
> Bugs: MESOS-7022
>     https://issues.apache.org/jira/browse/MESOS-7022
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This updates the local authorizer so that MULTI_ROLE frameworks can be
> authorized.
> 
> For non-MULTI_ROLE frameworks we continue to support use of the
> deprecated 'value' field in the authorization request's 'Object';
> however for MULTI_ROLE frameworks the 'value' field will not be set,
> and authorizers still relying on it should be updated to instead use
> the object's 'framework_info' field to extract roles to authorize
> against from.
> 
> 
> Diffs
> -----
> 
>   src/authorizer/local/authorizer.cpp 
> b98e1fcdf2ee5ec1f6ac0be6f8accdefaa390a09 
>   src/master/master.cpp 98c39b279e7b9830d02efc8ec6a4469afc15d62a 
> 
> Diff: https://reviews.apache.org/r/56178/diff/
> 
> 
> Testing
> -------
> 
> Tested on various configurations in internal CI.
> 
> 
> Thanks,
> 
> Benjamin Bannier
> 
>

Reply via email to