You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Vinod Kone (JIRA)" <ji...@apache.org> on 2017/04/04 22:02:41 UTC

[jira] [Commented] (MESOS-7257) LocalAuthorizer handles request subject being NONE which never happens

    [ https://issues.apache.org/jira/browse/MESOS-7257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15955940#comment-15955940 ] 

Vinod Kone commented on MESOS-7257:
-----------------------------------

Sorry, just got around to this.

At the call site, if the subject is unknown (maybe because authN is not enabled) we want to ask the authorizer whether "ANY" subject is allowed to perform the action. If the answer is yes, then the unknown subject is allowed. I don't think it makes sense to ask the authorizer if "none" of the subjects are allowed in that case?

A request being "NONE" probably doesn't make sense, but IIRC I just added it for completeness. We can add a CHECK instead to disallow it if that makes the authorizer code much simpler.

> LocalAuthorizer handles request subject being NONE which never happens
> ----------------------------------------------------------------------
>
>                 Key: MESOS-7257
>                 URL: https://issues.apache.org/jira/browse/MESOS-7257
>             Project: Mesos
>          Issue Type: Bug
>            Reporter: Yan Xu
>
> The {{approved}} method in the local authorizer deals with the request being {{NONE}} or {{ANY}} according to these charts
> {code:title=}
> // Match matrix:
> //
> //                  -----------ACL----------
> //
> //                    SOME    NONE    ANY
> //          -------|-------|-------|-------
> //  |        SOME  | Yes/No|  Yes  |   Yes
> //  |       -------|-------|-------|-------
> // Request   NONE  |  No   |  Yes  |   No
> //  |       -------|-------|-------|-------
> //  |        ANY   |  No   |  Yes  |   Yes
> //          -------|-------|-------|-------
> // Allow matrix:
> //
> //                 -----------ACL----------
> //
> //                    SOME    NONE    ANY
> //          -------|-------|-------|-------
> //  |        SOME  | Yes/No|  No   |   Yes
> //  |       -------|-------|-------|-------
> // Request   NONE  |  No   |  Yes  |   No
> //  |       -------|-------|-------|-------
> //  |        ANY   |  No   |  No   |   Yes
> //          -------|-------|-------|-------
> {code}
> However AFACIT there's not a case for the request to be {{NONE}} as the code treats an none subject as {{ANY}}:
> {code:title=}
>     // Construct subject.
>     if (subject_.isSome()) {
>       aclSubject.add_values(subject_->value());
>       aclSubject.set_type(mesos::ACL::Entity::SOME);
>     } else {
>       aclSubject.set_type(mesos::ACL::Entity::ANY);
>     }
> {code}
> If feels more appropriate to use {{ACL::Entity::NONE}} to mean the subject is none but regardless of the choice, we don't seem to need both {{ACL::Entity::NONE}} and {{ACL::Entity::ANY}} for the request?
> If so the matrices in should probably just have two rows and the code can be simplified.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)