Sorry guys, that was an oversight. I added reviews: https://reviews.apache.org/r/48310/ <https://reviews.apache.org/r/48310/> - Fixes some endpoint spaces in docs. https://reviews.apache.org/r/48311/ <https://reviews.apache.org/r/48311/> - Result of running the script.
> On 06 Jun 2016, at 23:54, Adam Bordelon <a...@mesosphere.io> wrote: > > Good point. Vinod was working on the endpoints script right next to me, but > I guess he did his pre-release run before I committed Alexander's change. > We'll have to do another run before rc2. > > On Mon, Jun 6, 2016 at 5:36 AM, Neil Conway <neil.con...@gmail.com> wrote: > >> FYI, this commit should have included the changes produced by >> re-running the `generate-endpoint.py` script. >> >> Neil >> >> On Wed, Jun 1, 2016 at 8:26 AM, <m...@apache.org> wrote: >>> Repository: mesos >>> Updated Branches: >>> refs/heads/master 5263a6211 -> 53b5164bb >>> >>> >>> Added documentation for access_sandboxes and access_mesos_logs acls. >>> >>> Modifies the file `acls.proto` to take into consideration the added >>> authorization actions `access_sandboxes` and `access_mesos_logs`. >>> >>> Review: https://reviews.apache.org/r/48048/ >>> >>> >>> Project: http://git-wip-us.apache.org/repos/asf/mesos/repo >>> Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/53b5164b >>> Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/53b5164b >>> Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/53b5164b >>> >>> Branch: refs/heads/master >>> Commit: 53b5164bb51ebe850dec5ab19b8382f5c4a59391 >>> Parents: 5263a62 >>> Author: Alexander Rojas <alexan...@mesosphere.io> >>> Authored: Tue May 31 23:20:50 2016 -0700 >>> Committer: Adam B <a...@mesosphere.io> >>> Committed: Tue May 31 23:24:55 2016 -0700 >>> >>> ---------------------------------------------------------------------- >>> docs/authorization.md | 2 ++ >>> src/files/files.cpp | 34 +++++++++++++++++++++++++++++++--- >>> 2 files changed, 33 insertions(+), 3 deletions(-) >>> ---------------------------------------------------------------------- >>> >>> >>> >> http://git-wip-us.apache.org/repos/asf/mesos/blob/53b5164b/docs/authorization.md >>> ---------------------------------------------------------------------- >>> diff --git a/docs/authorization.md b/docs/authorization.md >>> index 0e58b9b..189b70d 100644 >>> --- a/docs/authorization.md >>> +++ b/docs/authorization.md >>> @@ -131,6 +131,8 @@ entries, each representing an authorizable action: >>> |`view_framework`|UNIX user of whom executors can be >> viewed.|`Framework_Info` which can be viewed.|Filtering http endpoints.| >>> |`view_executor`|UNIX user of whom executors can be >> viewed.|`Executor_Info` and `Framework_Info` which can be viewed.|Filtering >> http endpoints.| >>> |`view_task`|UNIX user of whom tasks can be viewed.|(`Task` or >> `Task_Info`) and `Framework_Info` which can be viewed.|Filtering http >> endpoints.| >>> +|`access_sandboxes`|Operator username.|Operating system user whose >> executor/task sandboxes can be accessed.|Access task sandboxes.| >>> +|`access_mesos_logs`|Operator username.|Implicitly given. A user should >> only use types ANY and NONE to allow/deny access to the log.|Access Mesos >> logs.| >>> >>> ### Examples >>> >>> >>> >> http://git-wip-us.apache.org/repos/asf/mesos/blob/53b5164b/src/files/files.cpp >>> ---------------------------------------------------------------------- >>> diff --git a/src/files/files.cpp b/src/files/files.cpp >>> index 873664d..094a00c 100644 >>> --- a/src/files/files.cpp >>> +++ b/src/files/files.cpp >>> @@ -57,6 +57,7 @@ >>> using namespace process; >>> >>> using process::AUTHENTICATION; >>> +using process::AUTHORIZATION; >>> using process::DESCRIPTION; >>> using process::HELP; >>> using process::TLDR; >>> @@ -295,7 +296,16 @@ const string FilesProcess::BROWSE_HELP = HELP( >>> "Query parameters:", >>> "", >>> "> path=VALUE The path of directory to >> browse."), >>> - AUTHENTICATION(true)); >>> + AUTHENTICATION(true), >>> + AUTHORIZATION( >>> + "Browsing files requires that the request principal is ", >>> + "authorized to do so for the target virtual file path.", >>> + "", >>> + "Authorizers may categorize different virtual paths into", >>> + "different ACLs, e.g. logs in one and task sandboxes in", >>> + "another.", >>> + "", >>> + "See authorization documentation for details.")); >>> >>> >>> Future<bool> FilesProcess::authorize( >>> @@ -409,7 +419,16 @@ const string FilesProcess::READ_HELP = HELP( >>> "> offset=VALUE Value added to base address to >> obtain " >>> "a second address", >>> "> length=VALUE Length of file to read."), >>> - AUTHENTICATION(true)); >>> + AUTHENTICATION(true), >>> + AUTHORIZATION( >>> + "Reading files requires that the request principal is ", >>> + "authorized to do so for the target virtual file path.", >>> + "", >>> + "Authorizers may categorize different virtual paths into", >>> + "different ACLs, e.g. logs in one and task sandboxes in", >>> + "another.", >>> + "", >>> + "See authorization documentation for details.")); >>> >>> >>> Future<Response> FilesProcess::read( >>> @@ -585,7 +604,16 @@ const string FilesProcess::DOWNLOAD_HELP = HELP( >>> "Query parameters:", >>> "", >>> "> path=VALUE The path of directory to >> browse."), >>> - AUTHENTICATION(true)); >>> + AUTHENTICATION(true), >>> + AUTHORIZATION( >>> + "Downloading files requires that the request principal is ", >>> + "authorized to do so for the target virtual file path.", >>> + "", >>> + "Authorizers may categorize different virtual paths into", >>> + "different ACLs, e.g. logs in one and task sandboxes in", >>> + "another.", >>> + "", >>> + "See authorization documentation for details.")); >>> >>> >>> Future<Response> FilesProcess::download( >>> >>
