You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Greg Mann <gr...@mesosphere.io> on 2017/04/07 03:38:54 UTC
Review Request 58254: Added implicit executor authorization to the
agent operator API.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/
-----------------------------------------------------------
Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
Bugs: MESOS-7014
https://issues.apache.org/jira/browse/MESOS-7014
Repository: mesos
Description
-------
This patch updates the agent handlers for the LAUNCH_, WAIT_,
and KILL_NESTED_CONTAINER calls of the operator API to set the
`container_id` field within the authorization object,
facilitating implicit executor authorization.
Diffs
-----
include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
src/authorizer/local/authorizer.cpp e241edf4afa48d35dbbbb94d72e8e8690f5bedfc
src/slave/http.cpp b07ce7c73a90ef297d980806ebba9530d86f25ae
Diff: https://reviews.apache.org/r/58254/diff/1/
Testing
-------
Testing details can be found at the end of this chain.
Thanks,
Greg Mann
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Greg Mann <gr...@mesosphere.io>.
> On April 7, 2017, 11:40 a.m., Alexander Rojas wrote:
> > src/authorizer/local/authorizer.cpp
> > Lines 654-657 (original), 683-690 (patched)
> > <https://reviews.apache.org/r/58254/diff/1/?file=1686361#file1686361line683>
> >
> > I'm not so sure returning a `RejectingObjectApprover()` is the right thing to do. It looks to me that the request is in an invalid state and at the very least should log that, but this if sounds like a precondition to me: If it has claims, it needs to be one of the three actions. Probably chang it for a `CHECK`.
> >
> > If I'm wrong, at least a comment mentioning when is it a valid case having a request that fails the check would help.
There's nothing stopping a client from providing a token with claims but no value in an operator API request with some other action, so we need to fail authorization for those cases somewhere. However, it's probably better to do it in the body of `getObjectApprover`, rather than here. Will update and add a comment.
> On April 7, 2017, 11:40 a.m., Alexander Rojas wrote:
> > src/authorizer/local/authorizer.cpp
> > Lines 692-699 (patched)
> > <https://reviews.apache.org/r/58254/diff/1/?file=1686361#file1686361line692>
> >
> > Refer to my review of previous patch.
I'm not sure precisely what you mean to say here, could you elaborate?
- Greg
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/#review171320
-----------------------------------------------------------
On April 7, 2017, 11:25 p.m., Greg Mann wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58254/
> -----------------------------------------------------------
>
> (Updated April 7, 2017, 11:25 p.m.)
>
>
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
>
>
> Bugs: MESOS-7014
> https://issues.apache.org/jira/browse/MESOS-7014
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This patch updates the agent handlers for the LAUNCH_, WAIT_,
> and KILL_NESTED_CONTAINER calls of the operator API to set the
> `container_id` field within the authorization object,
> facilitating implicit executor authorization.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
> src/authorizer/local/authorizer.cpp e241edf4afa48d35dbbbb94d72e8e8690f5bedfc
> src/slave/http.cpp b07ce7c73a90ef297d980806ebba9530d86f25ae
>
>
> Diff: https://reviews.apache.org/r/58254/diff/2/
>
>
> Testing
> -------
>
> Testing details can be found at the end of this chain.
>
>
> Thanks,
>
> Greg Mann
>
>
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Alexander Rojas <al...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/#review171320
-----------------------------------------------------------
src/authorizer/local/authorizer.cpp
Line 576 (original), 601-603 (patched)
<https://reviews.apache.org/r/58254/#comment244220>
I think options are default initialized to `None()`, in which case I think
```c++
Option<authorization::Subject> subject;
if (request.has_subject()) {
subject = request.subject();
}
```
would work just as well.
src/authorizer/local/authorizer.cpp
Lines 654-657 (original), 683-690 (patched)
<https://reviews.apache.org/r/58254/#comment244234>
I'm not so sure returning a `RejectingObjectApprover()` is the right thing to do. It looks to me that the request is in an invalid state and at the very least should log that, but this if sounds like a precondition to me: If it has claims, it needs to be one of the three actions. Probably chang it for a `CHECK`.
If I'm wrong, at least a comment mentioning when is it a valid case having a request that fails the check would help.
src/authorizer/local/authorizer.cpp
Lines 692-699 (patched)
<https://reviews.apache.org/r/58254/#comment244235>
Refer to my review of previous patch.
src/authorizer/local/authorizer.cpp
Lines 743 (patched)
<https://reviews.apache.org/r/58254/#comment244236>
Given the ussage, this one could be promoted to a top level class at this point.
- Alexander Rojas
On April 7, 2017, 5:38 a.m., Greg Mann wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58254/
> -----------------------------------------------------------
>
> (Updated April 7, 2017, 5:38 a.m.)
>
>
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
>
>
> Bugs: MESOS-7014
> https://issues.apache.org/jira/browse/MESOS-7014
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This patch updates the agent handlers for the LAUNCH_, WAIT_,
> and KILL_NESTED_CONTAINER calls of the operator API to set the
> `container_id` field within the authorization object,
> facilitating implicit executor authorization.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
> src/authorizer/local/authorizer.cpp e241edf4afa48d35dbbbb94d72e8e8690f5bedfc
> src/slave/http.cpp b07ce7c73a90ef297d980806ebba9530d86f25ae
>
>
> Diff: https://reviews.apache.org/r/58254/diff/1/
>
>
> Testing
> -------
>
> Testing details can be found at the end of this chain.
>
>
> Thanks,
>
> Greg Mann
>
>
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Vinod Kone <vi...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/#review172279
-----------------------------------------------------------
Ship it!
Ship It!
- Vinod Kone
On April 14, 2017, 9:14 p.m., Greg Mann wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58254/
> -----------------------------------------------------------
>
> (Updated April 14, 2017, 9:14 p.m.)
>
>
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
>
>
> Bugs: MESOS-7014
> https://issues.apache.org/jira/browse/MESOS-7014
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This patch updates the agent handlers for the LAUNCH_, WAIT_,
> and KILL_NESTED_CONTAINER calls of the operator API to set the
> `container_id` field within the authorization object,
> facilitating implicit executor authorization.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
> src/authorizer/local/authorizer.cpp 1c1f912794cfe61112a0e513b217ba3a755f35f1
> src/slave/http.cpp 468cf332d79ed7315ecf51955235735dec0a2df1
>
>
> Diff: https://reviews.apache.org/r/58254/diff/6/
>
>
> Testing
> -------
>
> Testing details can be found at the end of this chain.
>
>
> Thanks,
>
> Greg Mann
>
>
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Greg Mann <gr...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/
-----------------------------------------------------------
(Updated April 14, 2017, 9:14 p.m.)
Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
Bugs: MESOS-7014
https://issues.apache.org/jira/browse/MESOS-7014
Repository: mesos
Description
-------
This patch updates the agent handlers for the LAUNCH_, WAIT_,
and KILL_NESTED_CONTAINER calls of the operator API to set the
`container_id` field within the authorization object,
facilitating implicit executor authorization.
Diffs (updated)
-----
include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
src/authorizer/local/authorizer.cpp 1c1f912794cfe61112a0e513b217ba3a755f35f1
src/slave/http.cpp 468cf332d79ed7315ecf51955235735dec0a2df1
Diff: https://reviews.apache.org/r/58254/diff/6/
Changes: https://reviews.apache.org/r/58254/diff/5-6/
Testing
-------
Testing details can be found at the end of this chain.
Thanks,
Greg Mann
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Greg Mann <gr...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/
-----------------------------------------------------------
(Updated April 14, 2017, 3:51 p.m.)
Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
Bugs: MESOS-7014
https://issues.apache.org/jira/browse/MESOS-7014
Repository: mesos
Description
-------
This patch updates the agent handlers for the LAUNCH_, WAIT_,
and KILL_NESTED_CONTAINER calls of the operator API to set the
`container_id` field within the authorization object,
facilitating implicit executor authorization.
Diffs (updated)
-----
include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
src/authorizer/local/authorizer.cpp 1c1f912794cfe61112a0e513b217ba3a755f35f1
src/slave/http.cpp 468cf332d79ed7315ecf51955235735dec0a2df1
Diff: https://reviews.apache.org/r/58254/diff/5/
Changes: https://reviews.apache.org/r/58254/diff/4-5/
Testing
-------
Testing details can be found at the end of this chain.
Thanks,
Greg Mann
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Greg Mann <gr...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/#review171917
-----------------------------------------------------------
src/authorizer/local/authorizer.cpp
Lines 323-327 (original), 323-327 (patched)
<https://reviews.apache.org/r/58254/#comment244914>
Populate for LAUNCH_NESTED_CONTAINER_SESSION
Add authorization test for this (enable authZ be default in all default executor tests)
src/authorizer/local/authorizer.cpp
Line 659 (original), 726-733 (patched)
<https://reviews.apache.org/r/58254/#comment244918>
Comment explaining the purpose of this conditional.
- Greg Mann
On April 13, 2017, 6:56 p.m., Greg Mann wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58254/
> -----------------------------------------------------------
>
> (Updated April 13, 2017, 6:56 p.m.)
>
>
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
>
>
> Bugs: MESOS-7014
> https://issues.apache.org/jira/browse/MESOS-7014
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This patch updates the agent handlers for the LAUNCH_, WAIT_,
> and KILL_NESTED_CONTAINER calls of the operator API to set the
> `container_id` field within the authorization object,
> facilitating implicit executor authorization.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
> src/authorizer/local/authorizer.cpp 1c1f912794cfe61112a0e513b217ba3a755f35f1
> src/slave/http.cpp 468cf332d79ed7315ecf51955235735dec0a2df1
>
>
> Diff: https://reviews.apache.org/r/58254/diff/4/
>
>
> Testing
> -------
>
> Testing details can be found at the end of this chain.
>
>
> Thanks,
>
> Greg Mann
>
>
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Greg Mann <gr...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/
-----------------------------------------------------------
(Updated April 13, 2017, 6:56 p.m.)
Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
Bugs: MESOS-7014
https://issues.apache.org/jira/browse/MESOS-7014
Repository: mesos
Description
-------
This patch updates the agent handlers for the LAUNCH_, WAIT_,
and KILL_NESTED_CONTAINER calls of the operator API to set the
`container_id` field within the authorization object,
facilitating implicit executor authorization.
Diffs (updated)
-----
include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
src/authorizer/local/authorizer.cpp 1c1f912794cfe61112a0e513b217ba3a755f35f1
src/slave/http.cpp 468cf332d79ed7315ecf51955235735dec0a2df1
Diff: https://reviews.apache.org/r/58254/diff/4/
Changes: https://reviews.apache.org/r/58254/diff/3-4/
Testing
-------
Testing details can be found at the end of this chain.
Thanks,
Greg Mann
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Alexander Rojas <al...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/#review171722
-----------------------------------------------------------
Ship it!
Ship It!
- Alexander Rojas
On April 12, 2017, 9:31 a.m., Greg Mann wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58254/
> -----------------------------------------------------------
>
> (Updated April 12, 2017, 9:31 a.m.)
>
>
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
>
>
> Bugs: MESOS-7014
> https://issues.apache.org/jira/browse/MESOS-7014
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This patch updates the agent handlers for the LAUNCH_, WAIT_,
> and KILL_NESTED_CONTAINER calls of the operator API to set the
> `container_id` field within the authorization object,
> facilitating implicit executor authorization.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
> src/authorizer/local/authorizer.cpp 1c1f912794cfe61112a0e513b217ba3a755f35f1
> src/slave/http.cpp 468cf332d79ed7315ecf51955235735dec0a2df1
>
>
> Diff: https://reviews.apache.org/r/58254/diff/3/
>
>
> Testing
> -------
>
> Testing details can be found at the end of this chain.
>
>
> Thanks,
>
> Greg Mann
>
>
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Greg Mann <gr...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/
-----------------------------------------------------------
(Updated April 12, 2017, 7:31 a.m.)
Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
Bugs: MESOS-7014
https://issues.apache.org/jira/browse/MESOS-7014
Repository: mesos
Description
-------
This patch updates the agent handlers for the LAUNCH_, WAIT_,
and KILL_NESTED_CONTAINER calls of the operator API to set the
`container_id` field within the authorization object,
facilitating implicit executor authorization.
Diffs (updated)
-----
include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
src/authorizer/local/authorizer.cpp 1c1f912794cfe61112a0e513b217ba3a755f35f1
src/slave/http.cpp 468cf332d79ed7315ecf51955235735dec0a2df1
Diff: https://reviews.apache.org/r/58254/diff/3/
Changes: https://reviews.apache.org/r/58254/diff/2-3/
Testing
-------
Testing details can be found at the end of this chain.
Thanks,
Greg Mann
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Greg Mann <gr...@mesosphere.io>.
> On April 11, 2017, 12:27 a.m., Vinod Kone wrote:
> > src/authorizer/local/authorizer.cpp
> > Lines 725 (patched)
> > <https://reviews.apache.org/r/58254/diff/2/?file=1686563#file1686563line725>
> >
> > Is this based on the assumption that claims subjects only come from executors and not operators? What guarantees that?
There's one use case this patch would not accommodate: if a custom authenticator is used which sets both `Principal.value` and `Principal.claims`, and the local authorizer is also used. In that case, an operator could authenticate such that this code would not authorize their request correctly. To address this, I could add a check here for `!subject->has_value()`, since only implicit executor authZ can handle subjects without a value, and the default JWT authenticator does not set `Principal.value`.
- Greg
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/#review171506
-----------------------------------------------------------
On April 7, 2017, 11:25 p.m., Greg Mann wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58254/
> -----------------------------------------------------------
>
> (Updated April 7, 2017, 11:25 p.m.)
>
>
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
>
>
> Bugs: MESOS-7014
> https://issues.apache.org/jira/browse/MESOS-7014
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This patch updates the agent handlers for the LAUNCH_, WAIT_,
> and KILL_NESTED_CONTAINER calls of the operator API to set the
> `container_id` field within the authorization object,
> facilitating implicit executor authorization.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
> src/authorizer/local/authorizer.cpp e241edf4afa48d35dbbbb94d72e8e8690f5bedfc
> src/slave/http.cpp b07ce7c73a90ef297d980806ebba9530d86f25ae
>
>
> Diff: https://reviews.apache.org/r/58254/diff/2/
>
>
> Testing
> -------
>
> Testing details can be found at the end of this chain.
>
>
> Thanks,
>
> Greg Mann
>
>
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Vinod Kone <vi...@gmail.com>.
> On April 11, 2017, 12:27 a.m., Vinod Kone wrote:
> > src/authorizer/local/authorizer.cpp
> > Lines 725 (patched)
> > <https://reviews.apache.org/r/58254/diff/2/?file=1686563#file1686563line725>
> >
> > Is this based on the assumption that claims subjects only come from executors and not operators? What guarantees that?
>
> Greg Mann wrote:
> There's one use case this patch would not accommodate: if a custom authenticator is used which sets both `Principal.value` and `Principal.claims`, and the local authorizer is also used. In that case, an operator could authenticate such that this code would not authorize their request correctly. To address this, I could add a check here for `!subject->has_value()`, since only implicit executor authZ can handle subjects without a value, and the default JWT authenticator does not set `Principal.value`.
Sounds good.
- Vinod
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/#review171506
-----------------------------------------------------------
On April 7, 2017, 11:25 p.m., Greg Mann wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58254/
> -----------------------------------------------------------
>
> (Updated April 7, 2017, 11:25 p.m.)
>
>
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
>
>
> Bugs: MESOS-7014
> https://issues.apache.org/jira/browse/MESOS-7014
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This patch updates the agent handlers for the LAUNCH_, WAIT_,
> and KILL_NESTED_CONTAINER calls of the operator API to set the
> `container_id` field within the authorization object,
> facilitating implicit executor authorization.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
> src/authorizer/local/authorizer.cpp e241edf4afa48d35dbbbb94d72e8e8690f5bedfc
> src/slave/http.cpp b07ce7c73a90ef297d980806ebba9530d86f25ae
>
>
> Diff: https://reviews.apache.org/r/58254/diff/2/
>
>
> Testing
> -------
>
> Testing details can be found at the end of this chain.
>
>
> Thanks,
>
> Greg Mann
>
>
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Vinod Kone <vi...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/#review171506
-----------------------------------------------------------
include/mesos/authorizer/authorizer.proto
Line 176 (original), 178 (patched)
<https://reviews.apache.org/r/58254/#comment244440>
Need to add container id here as well.
include/mesos/authorizer/authorizer.proto
Line 192 (original), 194 (patched)
<https://reviews.apache.org/r/58254/#comment244441>
Need to add container id here as well.
src/authorizer/local/authorizer.cpp
Lines 725 (patched)
<https://reviews.apache.org/r/58254/#comment244449>
Is this based on the assumption that claims subjects only come from executors and not operators? What guarantees that?
- Vinod Kone
On April 7, 2017, 11:25 p.m., Greg Mann wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58254/
> -----------------------------------------------------------
>
> (Updated April 7, 2017, 11:25 p.m.)
>
>
> Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
>
>
> Bugs: MESOS-7014
> https://issues.apache.org/jira/browse/MESOS-7014
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This patch updates the agent handlers for the LAUNCH_, WAIT_,
> and KILL_NESTED_CONTAINER calls of the operator API to set the
> `container_id` field within the authorization object,
> facilitating implicit executor authorization.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
> src/authorizer/local/authorizer.cpp e241edf4afa48d35dbbbb94d72e8e8690f5bedfc
> src/slave/http.cpp b07ce7c73a90ef297d980806ebba9530d86f25ae
>
>
> Diff: https://reviews.apache.org/r/58254/diff/2/
>
>
> Testing
> -------
>
> Testing details can be found at the end of this chain.
>
>
> Thanks,
>
> Greg Mann
>
>
Re: Review Request 58254: Added implicit executor authorization to
the agent operator API.
Posted by Greg Mann <gr...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58254/
-----------------------------------------------------------
(Updated April 7, 2017, 11:25 p.m.)
Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod Kone.
Bugs: MESOS-7014
https://issues.apache.org/jira/browse/MESOS-7014
Repository: mesos
Description
-------
This patch updates the agent handlers for the LAUNCH_, WAIT_,
and KILL_NESTED_CONTAINER calls of the operator API to set the
`container_id` field within the authorization object,
facilitating implicit executor authorization.
Diffs (updated)
-----
include/mesos/authorizer/authorizer.proto 736f76d552956f2351ffd40fc51d088dff83f8c8
src/authorizer/local/authorizer.cpp e241edf4afa48d35dbbbb94d72e8e8690f5bedfc
src/slave/http.cpp b07ce7c73a90ef297d980806ebba9530d86f25ae
Diff: https://reviews.apache.org/r/58254/diff/2/
Changes: https://reviews.apache.org/r/58254/diff/1-2/
Testing
-------
Testing details can be found at the end of this chain.
Thanks,
Greg Mann