I think we should also think more thoroughly about the expected behaviour
when we introduce new authorizable actions (and we most certainly will).
Since things may break particularly if users set the `permissive` ACL field
to false.
Perhaps initially, if no ACL is given for the new action we print a warning
message and behave as if the field had an ACL such as
```
{
"principals": {"type": "ANY"}
"action":{"type": "ANY"}
}
```
which effectively set a permissive rule for that action. The advantage is
that
it will give time for users to update the ACLs, the disadvantage is that we
would be introducing incorrect semantics (if temporarily).
The other idea would be to detect `permissive=false` and no ACLs given
for the new action and print a warning message about possible breaks
because of a change in the system, but no change in behaviour.
Any other ideas?
On Wed, Jun 8, 2016 at 1:30 AM, Greg Mann <g...@mesosphere.io> wrote:
> Hi Evers,
> Thanks for testing this out! We should have called out this change more
> explicitly in the changelog; I've posted a patch here
> <https://reviews.apache.org/r/48380/> to do that.
>
> Adding documentation with guidance on how to set ACLs to accomplish
> particular tasks (i.e., full use of the web UI) would be beneficial as
> well, but seems out of scope for the release notes. I've created a JIRA to
> update the authorization documentation here
> <https://issues.apache.org/jira/browse/MESOS-5564>.
>
> Cheers,
> Greg
>
>
> On Mon, Jun 6, 2016 at 2:28 AM, Evers Benno <ben...@yandex-team.ru> wrote:
>
> > Hi,
> >
> > thanks for the pointer. For people having the same problem, it seems
> > that you have to actually provide six new ACL rules to restore the
> > previous behaviour:
> >
> > get_endpoints, view_frameworks, view_tasks, view_executors,
> > access_sandboxes, and access_mesos_logs.
> >
> > On 03.06.2016 21:59, Michael Park wrote:
> > > Hello, I'm not exactly sure about whether the behavior is undesired or
> > not.
> > >
> > > But I think the ACL that you're missing is `GetEndpoint`:
> > >
> >
> https://github.com/apache/mesos/blob/master/include/mesos/authorizer/acls.proto#L183-L190
> > >
> > > Hope that helps,
> > >
> > > MPark
> > >
> > > On 3 June 2016 at 12:36, Evers Benno <ben...@yandex-team.ru> wrote:
> > >
> > >>
> > >> I just tried building and running the 1.0.0-rc1, and it seems that the
> > >> web UI is broken due to /metrics/snapshot returning a 403. (There's a
> > >> popup continously displaying "Failed to connect to
> > >> mesos-master.example.org:5050!"
> > >>
> > >> I'm running mesos-master with options `--no-authenticate_http
> > >> --acls={"permissive": "false", [...]}`, so I'm not completely sure if
> > >> this behaviour is as desired or not. (although its certainly
> unexpected)
> > >>
> > >> Regardless, I looked around for a while, but I couldn't figure out
> what
> > >> to add to the ACL to restore unauthorized viewing access for everyone?
> > >>
> > >> Best regards,
> > >> Benno
> > >>
> > >
> >
>
