You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Joseph Wu <jo...@mesosphere.io> on 2017/10/16 23:42:16 UTC
Re: Review Request 60891: Added ACLs and AuthZ for standalone
containers.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60891/
-----------------------------------------------------------
(Updated Oct. 16, 2017, 4:42 p.m.)
Review request for mesos, Alexander Rojas, Gilbert Song, and Jie Yu.
Changes
-------
Rebased on top of the `MARK_AGENT_DOWN` change.
Summary (updated)
-----------------
Added ACLs and AuthZ for standalone containers.
Bugs: MESOS-7305
https://issues.apache.org/jira/browse/MESOS-7305
Repository: mesos
Description (updated)
-------
This defines some coarse-grained AuthZ for launching and managing
standalone containers. Each HTTP principal can be given the right
to Launch, Wait upon, Kill, or Remove standalone containers under
a given (posix) user.
Diffs (updated)
-----
include/mesos/authorizer/acls.proto 587b71489730f9a1252c73c0239e3d9892b3ae8e
include/mesos/authorizer/authorizer.proto 87a805794f430fc8b2e47de6d624b95deef162b4
src/authorizer/local/authorizer.cpp 2fe7b879e649b13322cfcb300c21ef1ed0fea410
Diff: https://reviews.apache.org/r/60891/diff/3/
Changes: https://reviews.apache.org/r/60891/diff/2-3/
Testing
-------
See later in chain.
Thanks,
Joseph Wu
Re: Review Request 60891: Added ACLs and AuthZ for standalone
containers.
Posted by Jie Yu <yu...@gmail.com>.
> On Oct. 18, 2017, 3:40 a.m., Jie Yu wrote:
> > include/mesos/authorizer/acls.proto
> > Lines 435-437 (patched)
> > <https://reviews.apache.org/r/60891/diff/3/?file=1858661#file1858661line435>
> >
> > hum, i got confused. How do you get the user of a container? And it's not consistent with below?
>
> Joseph Wu wrote:
> Note: The user is specified in the call to launch standalone/nested containers.
but this is kill standalone container. Do we set 'user' in the `ObjectApprover::Object` for kill action?
- Jie
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60891/#review188447
-----------------------------------------------------------
On Oct. 16, 2017, 11:42 p.m., Joseph Wu wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60891/
> -----------------------------------------------------------
>
> (Updated Oct. 16, 2017, 11:42 p.m.)
>
>
> Review request for mesos, Alexander Rojas, Gilbert Song, and Jie Yu.
>
>
> Bugs: MESOS-7305
> https://issues.apache.org/jira/browse/MESOS-7305
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This defines some coarse-grained AuthZ for launching and managing
> standalone containers. Each HTTP principal can be given the right
> to Launch, Wait upon, Kill, or Remove standalone containers under
> a given (posix) user.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/acls.proto 587b71489730f9a1252c73c0239e3d9892b3ae8e
> include/mesos/authorizer/authorizer.proto 87a805794f430fc8b2e47de6d624b95deef162b4
> src/authorizer/local/authorizer.cpp 2fe7b879e649b13322cfcb300c21ef1ed0fea410
>
>
> Diff: https://reviews.apache.org/r/60891/diff/4/
>
>
> Testing
> -------
>
> See later in chain.
>
>
> Thanks,
>
> Joseph Wu
>
>
Re: Review Request 60891: Added ACLs and AuthZ for standalone
containers.
Posted by Joseph Wu <jo...@mesosphere.io>.
> On Oct. 17, 2017, 8:40 p.m., Jie Yu wrote:
> > include/mesos/authorizer/acls.proto
> > Lines 435-437 (patched)
> > <https://reviews.apache.org/r/60891/diff/3/?file=1858661#file1858661line435>
> >
> > hum, i got confused. How do you get the user of a container? And it's not consistent with below?
Note: The user is specified in the call to launch standalone/nested containers.
- Joseph
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60891/#review188447
-----------------------------------------------------------
On Oct. 16, 2017, 4:42 p.m., Joseph Wu wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60891/
> -----------------------------------------------------------
>
> (Updated Oct. 16, 2017, 4:42 p.m.)
>
>
> Review request for mesos, Alexander Rojas, Gilbert Song, and Jie Yu.
>
>
> Bugs: MESOS-7305
> https://issues.apache.org/jira/browse/MESOS-7305
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This defines some coarse-grained AuthZ for launching and managing
> standalone containers. Each HTTP principal can be given the right
> to Launch, Wait upon, Kill, or Remove standalone containers under
> a given (posix) user.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/acls.proto 587b71489730f9a1252c73c0239e3d9892b3ae8e
> include/mesos/authorizer/authorizer.proto 87a805794f430fc8b2e47de6d624b95deef162b4
> src/authorizer/local/authorizer.cpp 2fe7b879e649b13322cfcb300c21ef1ed0fea410
>
>
> Diff: https://reviews.apache.org/r/60891/diff/4/
>
>
> Testing
> -------
>
> See later in chain.
>
>
> Thanks,
>
> Joseph Wu
>
>
Re: Review Request 60891: Added ACLs and AuthZ for standalone
containers.
Posted by Joseph Wu <jo...@mesosphere.io>.
> On Oct. 17, 2017, 8:40 p.m., Jie Yu wrote:
> > include/mesos/authorizer/acls.proto
> > Lines 435-437 (patched)
> > <https://reviews.apache.org/r/60891/diff/3/?file=1858661#file1858661line435>
> >
> > hum, i got confused. How do you get the user of a container? And it's not consistent with below?
>
> Joseph Wu wrote:
> Note: The user is specified in the call to launch standalone/nested containers.
>
> Jie Yu wrote:
> but this is kill standalone container. Do we set 'user' in the `ObjectApprover::Object` for kill action?
As discussed offline, the `user` is no longer a factor in AuthZ for standalone containers. Instead, principals can either use the APIs... or they can't.
- Joseph
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60891/#review188447
-----------------------------------------------------------
On Nov. 13, 2017, 5:24 p.m., Joseph Wu wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60891/
> -----------------------------------------------------------
>
> (Updated Nov. 13, 2017, 5:24 p.m.)
>
>
> Review request for mesos, Alexander Rojas, Gilbert Song, and Jie Yu.
>
>
> Bugs: MESOS-7305
> https://issues.apache.org/jira/browse/MESOS-7305
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This defines some coarse-grained AuthZ for launching and managing
> standalone containers. Each HTTP principal can be given the right
> to Launch, Wait upon, Kill, or Remove standalone containers under
> a given (posix) user.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/acls.proto 587b71489730f9a1252c73c0239e3d9892b3ae8e
> include/mesos/authorizer/authorizer.proto 87a805794f430fc8b2e47de6d624b95deef162b4
> src/authorizer/local/authorizer.cpp 2fe7b879e649b13322cfcb300c21ef1ed0fea410
>
>
> Diff: https://reviews.apache.org/r/60891/diff/5/
>
>
> Testing
> -------
>
> See later in chain.
>
>
> Thanks,
>
> Joseph Wu
>
>
Re: Review Request 60891: Added ACLs and AuthZ for standalone
containers.
Posted by Jie Yu <yu...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60891/#review188447
-----------------------------------------------------------
include/mesos/authorizer/acls.proto
Lines 435-437 (patched)
<https://reviews.apache.org/r/60891/#comment265442>
hum, i got confused. How do you get the user of a container? And it's not consistent with below?
- Jie Yu
On Oct. 16, 2017, 11:42 p.m., Joseph Wu wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60891/
> -----------------------------------------------------------
>
> (Updated Oct. 16, 2017, 11:42 p.m.)
>
>
> Review request for mesos, Alexander Rojas, Gilbert Song, and Jie Yu.
>
>
> Bugs: MESOS-7305
> https://issues.apache.org/jira/browse/MESOS-7305
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This defines some coarse-grained AuthZ for launching and managing
> standalone containers. Each HTTP principal can be given the right
> to Launch, Wait upon, Kill, or Remove standalone containers under
> a given (posix) user.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/acls.proto 587b71489730f9a1252c73c0239e3d9892b3ae8e
> include/mesos/authorizer/authorizer.proto 87a805794f430fc8b2e47de6d624b95deef162b4
> src/authorizer/local/authorizer.cpp 2fe7b879e649b13322cfcb300c21ef1ed0fea410
>
>
> Diff: https://reviews.apache.org/r/60891/diff/3/
>
>
> Testing
> -------
>
> See later in chain.
>
>
> Thanks,
>
> Joseph Wu
>
>
Re: Review Request 60891: Added ACLs and AuthZ for standalone
containers.
Posted by Joseph Wu <jo...@mesosphere.io>.
> On Dec. 1, 2017, 1:30 a.m., Alexander Rojas wrote:
> > This patch didn't add tests in [authorization_tests.cpp](https://github.com/apache/mesos/blob/master/src/tests/authorization_tests.cpp)
Yeah, I have the tests up for review separately: https://reviews.apache.org/r/63828/ (which you've already reviewed ;)
- Joseph
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60891/#review192455
-----------------------------------------------------------
On Nov. 13, 2017, 5:24 p.m., Joseph Wu wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60891/
> -----------------------------------------------------------
>
> (Updated Nov. 13, 2017, 5:24 p.m.)
>
>
> Review request for mesos, Alexander Rojas, Gilbert Song, and Jie Yu.
>
>
> Bugs: MESOS-7305
> https://issues.apache.org/jira/browse/MESOS-7305
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This defines some coarse-grained AuthZ for launching and managing
> standalone containers. Each HTTP principal can be given the right
> to Launch, Wait upon, Kill, or Remove standalone containers under
> a given (posix) user.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/acls.proto 587b71489730f9a1252c73c0239e3d9892b3ae8e
> include/mesos/authorizer/authorizer.proto 87a805794f430fc8b2e47de6d624b95deef162b4
> src/authorizer/local/authorizer.cpp 2fe7b879e649b13322cfcb300c21ef1ed0fea410
>
>
> Diff: https://reviews.apache.org/r/60891/diff/5/
>
>
> Testing
> -------
>
> See later in chain.
>
>
> Thanks,
>
> Joseph Wu
>
>
Re: Review Request 60891: Added ACLs and AuthZ for standalone
containers.
Posted by Alexander Rojas <al...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60891/#review192455
-----------------------------------------------------------
This patch didn't add tests in [authorization_tests.cpp](https://github.com/apache/mesos/blob/master/src/tests/authorization_tests.cpp)
- Alexander Rojas
On Nov. 14, 2017, 2:24 a.m., Joseph Wu wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60891/
> -----------------------------------------------------------
>
> (Updated Nov. 14, 2017, 2:24 a.m.)
>
>
> Review request for mesos, Alexander Rojas, Gilbert Song, and Jie Yu.
>
>
> Bugs: MESOS-7305
> https://issues.apache.org/jira/browse/MESOS-7305
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This defines some coarse-grained AuthZ for launching and managing
> standalone containers. Each HTTP principal can be given the right
> to Launch, Wait upon, Kill, or Remove standalone containers under
> a given (posix) user.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/acls.proto 587b71489730f9a1252c73c0239e3d9892b3ae8e
> include/mesos/authorizer/authorizer.proto 87a805794f430fc8b2e47de6d624b95deef162b4
> src/authorizer/local/authorizer.cpp 2fe7b879e649b13322cfcb300c21ef1ed0fea410
>
>
> Diff: https://reviews.apache.org/r/60891/diff/5/
>
>
> Testing
> -------
>
> See later in chain.
>
>
> Thanks,
>
> Joseph Wu
>
>
Re: Review Request 60891: Added ACLs and AuthZ for standalone
containers.
Posted by Jie Yu <yu...@gmail.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60891/#review190981
-----------------------------------------------------------
Ship it!
Ship It!
- Jie Yu
On Nov. 14, 2017, 1:24 a.m., Joseph Wu wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60891/
> -----------------------------------------------------------
>
> (Updated Nov. 14, 2017, 1:24 a.m.)
>
>
> Review request for mesos, Alexander Rojas, Gilbert Song, and Jie Yu.
>
>
> Bugs: MESOS-7305
> https://issues.apache.org/jira/browse/MESOS-7305
>
>
> Repository: mesos
>
>
> Description
> -------
>
> This defines some coarse-grained AuthZ for launching and managing
> standalone containers. Each HTTP principal can be given the right
> to Launch, Wait upon, Kill, or Remove standalone containers under
> a given (posix) user.
>
>
> Diffs
> -----
>
> include/mesos/authorizer/acls.proto 587b71489730f9a1252c73c0239e3d9892b3ae8e
> include/mesos/authorizer/authorizer.proto 87a805794f430fc8b2e47de6d624b95deef162b4
> src/authorizer/local/authorizer.cpp 2fe7b879e649b13322cfcb300c21ef1ed0fea410
>
>
> Diff: https://reviews.apache.org/r/60891/diff/5/
>
>
> Testing
> -------
>
> See later in chain.
>
>
> Thanks,
>
> Joseph Wu
>
>
Re: Review Request 60891: Added ACLs and AuthZ for standalone
containers.
Posted by Joseph Wu <jo...@mesosphere.io>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60891/
-----------------------------------------------------------
(Updated Nov. 13, 2017, 5:24 p.m.)
Review request for mesos, Alexander Rojas, Gilbert Song, and Jie Yu.
Changes
-------
Removed granularity from ACLs. Now the permissions are ANY or NONE. i.e. A given principal can either launch standalone containers or not.
This includes an ACL validation addition.
Bugs: MESOS-7305
https://issues.apache.org/jira/browse/MESOS-7305
Repository: mesos
Description
-------
This defines some coarse-grained AuthZ for launching and managing
standalone containers. Each HTTP principal can be given the right
to Launch, Wait upon, Kill, or Remove standalone containers under
a given (posix) user.
Diffs (updated)
-----
include/mesos/authorizer/acls.proto 587b71489730f9a1252c73c0239e3d9892b3ae8e
include/mesos/authorizer/authorizer.proto 87a805794f430fc8b2e47de6d624b95deef162b4
src/authorizer/local/authorizer.cpp 2fe7b879e649b13322cfcb300c21ef1ed0fea410
Diff: https://reviews.apache.org/r/60891/diff/5/
Changes: https://reviews.apache.org/r/60891/diff/4-5/
Testing
-------
See later in chain.
Thanks,
Joseph Wu