You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by vi...@apache.org on 2016/07/01 17:40:40 UTC
[2/2] mesos git commit: Added documentation on coarse grain
authorization for endpoints.
Added documentation on coarse grain authorization for endpoints.
Coarse grained authorization for endpoints landed a while ago, however
no documentation is available.
Review: https://reviews.apache.org/r/49257/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/926e8d25
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/926e8d25
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/926e8d25
Branch: refs/heads/master
Commit: 926e8d25c5b5cc570faeb2a4494ac8bc4e03d773
Parents: ec45ae5
Author: Alexander Rojas <al...@mesosphere.io>
Authored: Fri Jul 1 10:39:27 2016 -0700
Committer: Vinod Kone <vi...@gmail.com>
Committed: Fri Jul 1 10:40:21 2016 -0700
----------------------------------------------------------------------
docs/authorization.md | 45 +++++++++++++++++++++++++++++++++++++++++++++
docs/upgrades.md | 8 ++++++++
2 files changed, 53 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/926e8d25/docs/authorization.md
----------------------------------------------------------------------
diff --git a/docs/authorization.md b/docs/authorization.md
index 9bd6031..fb56cdb 100644
--- a/docs/authorization.md
+++ b/docs/authorization.md
@@ -216,6 +216,13 @@ entries, each representing an authorizable action:
</td>
</tr>
<tr>
+ <td><code>get_endpoints</code></td>
+ <td>HTTP username.</td>
+ <td>HTTP endpoints the user should be able to access using the HTTP "GET"
+ method.</td>
+ <td>Performing an HTTP "GET" on an endpoint.</td>
+</tr>
+<tr>
<td><code>update_weights</code></td>
<td>Operator username.</td>
<td>Resource roles whose weights can be updated by the operator.</td>
@@ -258,6 +265,14 @@ entries, each representing an authorizable action:
</tbody>
</table>
+### Authorizable HTTP endpoints
+
+The `get_endpoints` action covers:
+
+* `/logging/toggle`
+* `/metrics/snapshot`
+* `/slave(id)/containers`
+* `/slave(id)/monitor/statistics`
### Examples
@@ -708,6 +723,36 @@ principal can update quota.
}
```
+
+The principal `ops` can reach all HTTP endpoints using the _GET_
+method. The principal `foo`, however, can only use the HTTP _GET_ on
+the `/logging/toggle` and `/monitor/statistics` endpoints. No other
+principals can use _GET_ on any endpoints.
+
+```json
+{
+ "permissive": false,
+ "get_endpoints": [
+ {
+ "principals": {
+ "values": ["ops"]
+ },
+ "paths": {
+ "type": "ANY"
+ }
+ },
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "paths": {
+ "values": ["/logging/toggle", "/monitor/statistics"]
+ }
+ }
+ ]
+}
+```
+
## Implementing an Authorizer
In case you plan to implement your own authorizer [module](modules.md), the
http://git-wip-us.apache.org/repos/asf/mesos/blob/926e8d25/docs/upgrades.md
----------------------------------------------------------------------
diff --git a/docs/upgrades.md b/docs/upgrades.md
index 079e04f..255b5bd 100644
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -271,6 +271,14 @@ We categorize the changes as follows:
* Mesos 1.0 introduces authorization support for several HTTP endpoints. Note that some of these endpoints are used by the web UI, and thus using the web UI in a cluster with authorization enabled will require that ACLs be set appropriately. Please refer to the [authorization documentation](authorization.md) for details.
+* The endpoints with coarse grained authorization enabled are:
+ - `/logging/toggle`
+ - `/metrics/snapshot`
+ - `/slave(id)/containers`
+ - `/slave(id)/monitor/statistics`
+
+* If the defined ACLs used `permissive: false`, the listed HTTP endpoints will stop working unless ACLs for the `get_endpoints` actions are defined.
+
In order to upgrade a running cluster:
1. Rebuild and install any modules so that upgraded masters/agents can use them.