Re: Review Request 58253: Added a ContainerID to 'ObjectApprover::Object'.

Fri, 07 Apr 2017 16:31:04 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58253/#review171388
-----------------------------------------------------------



For some reason I'm having trouble replying to your previous comment, so I'll 
post a new one :)

I think that it makes sense to have claims in the `authorization::Subject`, 
since this maps directly onto the `Principal` provided by the client. However, 
in the case of the `authorization::Object`, I don't think that the agent should 
dictate the use of particular claims there. For example, a custom authorizer 
might have a different way to determine which `ContainerID`s a principal should 
be able to launch containers within. I don't think that we should leak the 
specific claim keys used by the `SecretGenerator` into the 
`authorization::Object`, since in the future we will make the `SecretGenerator` 
modular and the claims within the executor token could be different for a 
custom generator. Does that make sense?

- Greg Mann


On April 7, 2017, 3:33 a.m., Greg Mann wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58253/
> -----------------------------------------------------------
> 
> (Updated April 7, 2017, 3:33 a.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod 
> Kone.
> 
> 
> Bugs: MESOS-7014
>     https://issues.apache.org/jira/browse/MESOS-7014
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This patch adds a new member, `container_id` to the
> `ObjectApprover::Object` to facilitate implicit executor
> authorization.
> 
> 
> Diffs
> -----
> 
>   include/mesos/authorizer/authorizer.hpp 
> 75801ccc753a60ce5e5979b6723fd2294ce7ffe5 
>   include/mesos/authorizer/authorizer.proto 
> 736f76d552956f2351ffd40fc51d088dff83f8c8 
>   src/authorizer/local/authorizer.cpp 
> e241edf4afa48d35dbbbb94d72e8e8690f5bedfc 
> 
> 
> Diff: https://reviews.apache.org/r/58253/diff/1/
> 
> 
> Testing
> -------
> 
> Testing details can be found at the end of this chain.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>

Reply via email to