[jira] [Commented] (MESOS-5406) Validate ACLs on creating an instance of local authorizer.
[ https://issues.apache.org/jira/browse/MESOS-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15338842#comment-15338842 ] Alexander Rukletsov commented on MESOS-5406: One more thing which would be great to implement: checking for subjects, objects, and action names. For reasons why we need it, see MESOS-5588. > Validate ACLs on creating an instance of local authorizer. > -- > > Key: MESOS-5406 > URL: https://issues.apache.org/jira/browse/MESOS-5406 > Project: Mesos > Issue Type: Improvement > Components: security >Reporter: Alexander Rukletsov >Assignee: Jay Guo > Labels: mesosphere, security > > Some combinations of ACLs are not allowed, for example, specifying both > {{SetQuota}} and {{UpdateQuota}}. We should capture such issues and error out > early. > This ticket aims to add as many validations as possible to a dedicated > {{validate()}} routine, instead of having them implicitly in the codebase. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-5406) Validate ACLs on creating an instance of local authorizer.
[ https://issues.apache.org/jira/browse/MESOS-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15299570#comment-15299570 ] Adam B commented on MESOS-5406: --- cc: [~vinodkone] > Validate ACLs on creating an instance of local authorizer. > -- > > Key: MESOS-5406 > URL: https://issues.apache.org/jira/browse/MESOS-5406 > Project: Mesos > Issue Type: Improvement > Components: security >Reporter: Alexander Rukletsov >Assignee: Jay Guo > Labels: mesosphere, security > > Some combinations of ACLs are not allowed, for example, specifying both > {{SetQuota}} and {{UpdateQuota}}. We should capture such issues and error out > early. > This ticket aims to add as many validations as possible to a dedicated > {{validate()}} routine, instead of having them implicitly in the codebase. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-5406) Validate ACLs on creating an instance of local authorizer.
[ https://issues.apache.org/jira/browse/MESOS-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15298130#comment-15298130 ] Jay Guo commented on MESOS-5406: Some more thoughts: # Should we sort ACLs and apply some mechanism like longest-prefix-match in routing table? Instead of relying on the order they are specified by user # Also should aggregate ACLs for given action? I saw TODO in codebase: TODO(vinod): Do aggregation of ACLs when possible. > Validate ACLs on creating an instance of local authorizer. > -- > > Key: MESOS-5406 > URL: https://issues.apache.org/jira/browse/MESOS-5406 > Project: Mesos > Issue Type: Improvement > Components: security >Reporter: Alexander Rukletsov >Assignee: Jay Guo > Labels: mesosphere, security > > Some combinations of ACLs are not allowed, for example, specifying both > {{SetQuota}} and {{UpdateQuota}}. We should capture such issues and error out > early. > This ticket aims to add as many validations as possible to a dedicated > {{validate()}} routine, instead of having them implicitly in the codebase. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-5406) Validate ACLs on creating an instance of local authorizer.
[ https://issues.apache.org/jira/browse/MESOS-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15296005#comment-15296005 ] Adam B commented on MESOS-5406: --- That sounds appropriate. Although, if permissive=true, then setting a permission object to ANY is redundant. Similarly, with permissive=false, setting object=NONE is redundant. > Validate ACLs on creating an instance of local authorizer. > -- > > Key: MESOS-5406 > URL: https://issues.apache.org/jira/browse/MESOS-5406 > Project: Mesos > Issue Type: Improvement > Components: security >Reporter: Alexander Rukletsov >Assignee: Jay Guo > Labels: mesosphere, security > > Some combinations of ACLs are not allowed, for example, specifying both > {{SetQuota}} and {{UpdateQuota}}. We should capture such issues and error out > early. > This ticket aims to add as many validations as possible to a dedicated > {{validate()}} routine, instead of having them implicitly in the codebase. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-5406) Validate ACLs on creating an instance of local authorizer.
[ https://issues.apache.org/jira/browse/MESOS-5406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15295989#comment-15295989 ] Jay Guo commented on MESOS-5406: Just wanna make sure I understand it correctly, this story is to catch contradictory acls while creating authorizer, besides `SetQuota` and `UpdateQuota`. For example, following test case should pass (both NONE and ANY for the same principle): {code} // Should fail to create authorizer with acls that specifies // both NONE and ANY for the same principle TYPED_TEST(AuthorizationTest, ContradictoryACLs) { ACLs acls; { mesos::ACL::UpdateQuota* acl = acls.add_update_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_roles()->set_type(mesos::ACL::Entity::ANY); } { mesos::ACL::UpdateQuota* acl = acls.add_update_quotas(); acl->mutable_principals()->add_values("foo"); acl->mutable_roles()->set_type(mesos::ACL::Entity::NONE); } Trycreate = TypeParam::create(parameterize(acls)); ASSERT_ERROR(create); } {code} > Validate ACLs on creating an instance of local authorizer. > -- > > Key: MESOS-5406 > URL: https://issues.apache.org/jira/browse/MESOS-5406 > Project: Mesos > Issue Type: Improvement > Components: security >Reporter: Alexander Rukletsov >Assignee: Jay Guo > Labels: mesosphere, security > > Some combinations of ACLs are not allowed, for example, specifying both > {{SetQuota}} and {{UpdateQuota}}. We should capture such issues and error out > early. > This ticket aims to add as many validations as possible to a dedicated > {{validate()}} routine, instead of having them implicitly in the codebase. -- This message was sent by Atlassian JIRA (v6.3.4#6332)