[jira] [Commented] (MESOS-5406) Validate ACLs on creating an instance of local authorizer.
[
https://issues.apache.org/jira/browse/MESOS-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15338842#comment-15338842
]
Alexander Rukletsov commented on MESOS-5406:
One more thing which would be great to implement: checking for subjects,
objects, and action names. For reasons why we need it, see MESOS-5588.
> Validate ACLs on creating an instance of local authorizer.
> --
>
> Key: MESOS-5406
> URL: https://issues.apache.org/jira/browse/MESOS-5406
> Project: Mesos
> Issue Type: Improvement
> Components: security
>Reporter: Alexander Rukletsov
>Assignee: Jay Guo
> Labels: mesosphere, security
>
> Some combinations of ACLs are not allowed, for example, specifying both
> {{SetQuota}} and {{UpdateQuota}}. We should capture such issues and error out
> early.
> This ticket aims to add as many validations as possible to a dedicated
> {{validate()}} routine, instead of having them implicitly in the codebase.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-5406) Validate ACLs on creating an instance of local authorizer.
[
https://issues.apache.org/jira/browse/MESOS-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15299570#comment-15299570
]
Adam B commented on MESOS-5406:
---
cc: [~vinodkone]
> Validate ACLs on creating an instance of local authorizer.
> --
>
> Key: MESOS-5406
> URL: https://issues.apache.org/jira/browse/MESOS-5406
> Project: Mesos
> Issue Type: Improvement
> Components: security
>Reporter: Alexander Rukletsov
>Assignee: Jay Guo
> Labels: mesosphere, security
>
> Some combinations of ACLs are not allowed, for example, specifying both
> {{SetQuota}} and {{UpdateQuota}}. We should capture such issues and error out
> early.
> This ticket aims to add as many validations as possible to a dedicated
> {{validate()}} routine, instead of having them implicitly in the codebase.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-5406) Validate ACLs on creating an instance of local authorizer.
[
https://issues.apache.org/jira/browse/MESOS-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15298130#comment-15298130
]
Jay Guo commented on MESOS-5406:
Some more thoughts:
# Should we sort ACLs and apply some mechanism like longest-prefix-match in
routing table? Instead of relying on the order they are specified by user
# Also should aggregate ACLs for given action? I saw TODO in codebase:
TODO(vinod): Do aggregation of ACLs when possible.
> Validate ACLs on creating an instance of local authorizer.
> --
>
> Key: MESOS-5406
> URL: https://issues.apache.org/jira/browse/MESOS-5406
> Project: Mesos
> Issue Type: Improvement
> Components: security
>Reporter: Alexander Rukletsov
>Assignee: Jay Guo
> Labels: mesosphere, security
>
> Some combinations of ACLs are not allowed, for example, specifying both
> {{SetQuota}} and {{UpdateQuota}}. We should capture such issues and error out
> early.
> This ticket aims to add as many validations as possible to a dedicated
> {{validate()}} routine, instead of having them implicitly in the codebase.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-5406) Validate ACLs on creating an instance of local authorizer.
[
https://issues.apache.org/jira/browse/MESOS-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15296005#comment-15296005
]
Adam B commented on MESOS-5406:
---
That sounds appropriate. Although, if permissive=true, then setting a
permission object to ANY is redundant. Similarly, with permissive=false,
setting object=NONE is redundant.
> Validate ACLs on creating an instance of local authorizer.
> --
>
> Key: MESOS-5406
> URL: https://issues.apache.org/jira/browse/MESOS-5406
> Project: Mesos
> Issue Type: Improvement
> Components: security
>Reporter: Alexander Rukletsov
>Assignee: Jay Guo
> Labels: mesosphere, security
>
> Some combinations of ACLs are not allowed, for example, specifying both
> {{SetQuota}} and {{UpdateQuota}}. We should capture such issues and error out
> early.
> This ticket aims to add as many validations as possible to a dedicated
> {{validate()}} routine, instead of having them implicitly in the codebase.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-5406) Validate ACLs on creating an instance of local authorizer.
[
https://issues.apache.org/jira/browse/MESOS-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15295989#comment-15295989
]
Jay Guo commented on MESOS-5406:
Just wanna make sure I understand it correctly, this story is to catch
contradictory acls while creating authorizer, besides `SetQuota` and
`UpdateQuota`. For example, following test case should pass (both NONE and ANY
for the same principle):
{code}
// Should fail to create authorizer with acls that specifies
// both NONE and ANY for the same principle
TYPED_TEST(AuthorizationTest, ContradictoryACLs)
{
ACLs acls;
{
mesos::ACL::UpdateQuota* acl = acls.add_update_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
}
{
mesos::ACL::UpdateQuota* acl = acls.add_update_quotas();
acl->mutable_principals()->add_values("foo");
acl->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
}
Try create = TypeParam::create(parameterize(acls));
ASSERT_ERROR(create);
}
{code}
> Validate ACLs on creating an instance of local authorizer.
> --
>
> Key: MESOS-5406
> URL: https://issues.apache.org/jira/browse/MESOS-5406
> Project: Mesos
> Issue Type: Improvement
> Components: security
>Reporter: Alexander Rukletsov
>Assignee: Jay Guo
> Labels: mesosphere, security
>
> Some combinations of ACLs are not allowed, for example, specifying both
> {{SetQuota}} and {{UpdateQuota}}. We should capture such issues and error out
> early.
> This ticket aims to add as many validations as possible to a dedicated
> {{validate()}} routine, instead of having them implicitly in the codebase.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
