You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Greg Mann (JIRA)" <ji...@apache.org> on 2017/03/17 21:08:41 UTC
[jira] [Commented] (MESOS-7190) Update endpoint handlers to use
'ObjectApprover'
[ https://issues.apache.org/jira/browse/MESOS-7190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15930736#comment-15930736 ]
Greg Mann commented on MESOS-7190:
----------------------------------
I'm actually not so sure about this. Callsites which don't do authorization-based filtering, but which simply need a boolean authorization result, are much cleaner when using {{authorized()}}.
I think that instead of eliminating the {{authorized()}} method entirely, we could provide an implementation as a member-function of the {{Authorizer}} base class. It could make use of the local authorizer's [current implementation|https://github.com/apache/mesos/blob/62161ac4416323b7373cc5e2a63b285f6f510d11/src/authorizer/local/authorizer.cpp#L628-L643] to accomplish this functionality using {{getObjectApprover}}. In this way, modules would only need to implement {{getObjectApprover}}, and the base class could provide an {{authorized()}} helper to keep the callsites clean.
cc [~arojas] [~adam-mesos] [~tillt]
> Update endpoint handlers to use 'ObjectApprover'
> ------------------------------------------------
>
> Key: MESOS-7190
> URL: https://issues.apache.org/jira/browse/MESOS-7190
> Project: Mesos
> Issue Type: Improvement
> Components: security
> Reporter: Greg Mann
> Labels: authorization, mesosphere, security
>
> The {{ObjectApprover}}-based interface for the authorizer has been introduced, but not all handlers make use of this new functionality (i.e., {{Slave::Http::flags()}}. We should consider migrating all authorization code to use {{getObjectApprover}}, and deprecating the older {{authorized()}} interface.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)