You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Alexander Rojas (JIRA)" <ji...@apache.org> on 2016/05/12 14:02:12 UTC

[jira] [Commented] (MESOS-5369) Coarse-grained authorization of endpoints is supported only for short url paths.

    [ https://issues.apache.org/jira/browse/MESOS-5369?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15281535#comment-15281535 ] 

Alexander Rojas commented on MESOS-5369:
----------------------------------------

We faced this issue while implementing the firewall. Some solutions were proposed:

# Add a regex library (was discarded because it will add another binary third party dependency and GCC didn’t yet had support for C++11 regex).
# Implement our own wildcard mechanism (discarded because it added extra abstractions into Mesos codebase).

Finally we just add an MVP requirement of knowing the suffix of the process you wanted to hit. The idea was to postpone the final solution to a next iteration, through in truth, we never got to that.

> Coarse-grained authorization of endpoints is supported only for short url paths.
> --------------------------------------------------------------------------------
>
>                 Key: MESOS-5369
>                 URL: https://issues.apache.org/jira/browse/MESOS-5369
>             Project: Mesos
>          Issue Type: Bug
>    Affects Versions: 0.29.0
>            Reporter: Alexander Rukletsov
>              Labels: authorization, mesosphere, security
>
> For coarse-grained authorization actions, e.g., {{GET_ENDPOINT_WITH_PATH}}, we currently pass the short version of the url path, i.e., {{/state}} instead of {{/master/state}}, to the authorizer in some cases. This means that ACLs for local authorizer will not work as expected if absolute paths are used. Moreover, both local and modularized authorizers should be able to understand both short url paths for endpoints that belong to the "major" actor process (e.g., master, agent) and absolute url paths for all other actors (e.g., {{/files/browse}}, {{/metrics/snapshot}}.
> One possible solution is to pass absolute paths to authorizers and let them do the necessary processing, e.g., removing agent id from {{/slave(id)/state}}. This will also require normalizing endpoints from ACLs to absolute path form, similarly as we have done in MESOS-3143. Additionally this solution removes ambiguity which may arise for same endpoints belonging to different actors, e.g., {{/master/flags}} vs. {{/slave/flags}}.
> Here are some code snippets to illustrate the problem and the reasons:
> * https://github.com/apache/mesos/blob/eaf0d3461b3f17c9037490e873f114c2ee1c14d9/src/slave/http.cpp#L824-L833
> * https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/3rdparty/libprocess/src/process.cpp#L2398
> * https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/src/master/main.cpp#L247
> * https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/3rdparty/libprocess/src/process.cpp#L2875



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)