> On March 24, 2014, 9:18 a.m., Benjamin Hindman wrote:
> > include/mesos/mesos.proto, line 486
> > <https://reviews.apache.org/r/18730/diff/6/?file=532713#file532713line486>
> >
> > Can you share this in JSON so we can get an idea of what it looks like?
>
> Vinod Kone wrote:
> I logged the JSON for each of the ACLs set in the tests. This is how it
> looks:
>
> [ RUN ] AuthorizationTest.AnyPrincipalRunAsUser
> I0325 01:28:10.681622 41814 authorization_tests.cpp:48]
> {"runs":[{"principals":{"type":"ANY"},"users":{"values":["guest"]}}]}
>
>
> [ RUN ] AuthorizationTest.NoPrincipalRunAsUser
> I0325 01:28:10.684216 41814 authorization_tests.cpp:68]
> {"runs":[{"principals":{"type":"NONE"},"users":{"values":["root"]}}]}
>
>
> [ RUN ] AuthorizationTest.PrincipalRunAsAnyUser
> I0325 01:28:10.685173 41814 authorization_tests.cpp:87]
> {"runs":[{"principals":{"values":["foo"]},"users":{"type":"ANY"}}]}
>
>
> [ RUN ] AuthorizationTest.AnyPrincipalRunAsAnyUser
> I0325 01:28:10.687325 41814 authorization_tests.cpp:107]
> {"runs":[{"principals":{"type":"ANY"},"users":{"type":"ANY"}}]}
>
> [ RUN ] AuthorizationTest.SomePrincipalsRunAsSomeUsers
> I0325 01:28:10.688889 41814 authorization_tests.cpp:129]
> {"runs":[{"principals":{"values":["foo","bar"]},"users":{"values":["user1","user2"]}}]}
>
>
> [ RUN ] AuthorizationTest.PrincipalRunAsSomeUserRestrictive
> I0325 01:28:10.692108 41814 authorization_tests.cpp:156]
> {"permissive":false,"runs":[{"principals":{"values":["foo"]},"users":{"values":["user1"]}}]}
>
>
> [ RUN ] AuthorizationTest.AnyPrincipalOfferedRole
> I0325 01:28:10.693452 41814 authorization_tests.cpp:179]
> {"offers":[{"principals":{"type":"ANY"},"roles":{"values":["*"]}}]}
>
>
> [ RUN ] AuthorizationTest.SomePrincipalsOfferedRole
> I0325 01:28:10.694710 41814 authorization_tests.cpp:200]
> {"offers":[{"principals":{"values":["foo","bar"]},"roles":{"values":["ads"]}}]}
>
> [ RUN ] AuthorizationTest.PrincipalOfferedRole
> I0325 01:28:10.695742 41814 authorization_tests.cpp:220]
> {"offers":[{"principals":{"values":["foo"]},"roles":{"values":["analytics"]}}]}
>
>
> [ RUN ] AuthorizationTest.PrincipalNotOfferedAnyRoleRestrictive
> I0325 01:28:10.696688 41814 authorization_tests.cpp:243]
> {"offers":[{"principals":{"values":["foo"]},"roles":{"values":["analytics"]}}],"permissive":false}
>
>
> [ RUN ] AuthorizationTest.AnyClientGETSomeURL
> I0325 01:28:10.697864 41814 authorization_tests.cpp:268]
> {"gets":[{"clients":{"type":"ANY"},"urls":{"values":["\/help"]}}]}
>
>
> [ RUN ] AuthorizationTest.SomeClientsPUTSomeURL
> I0325 01:28:10.698837 41814 authorization_tests.cpp:289]
> {"puts":[{"clients":{"values":["127.0.0.1","localhost"]},"urls":{"values":["\/admin"]}}]}
>
>
> [ RUN ] AuthorizationTest.NoClientGETPUTSomeURL
> I0325 01:28:10.700235 41814 authorization_tests.cpp:316]
> {"gets":[{"clients":{"type":"NONE"},"urls":{"values":["\/sshhh"]}}],"puts":[{"clients":{"type":"NONE"},"urls":{"values":["\/sshhh"]}}]}
>
>
> [ RUN ] AuthorizationTest.SomeClientsCannotGETAnyURL
> I0325 01:28:10.701879 41814 authorization_tests.cpp:339]
> {"gets":[{"clients":{"values":["127.0.0.1","localhost"]},"urls":{"type":"NONE"}}]}
>
>
> [ RUN ] AuthorizationTest.NoClientsCanGETPUTAnyURLRestrictive
> I0325 01:28:10.703636 41814 authorization_tests.cpp:359]
> {"permissive":false}
>
Out of curiousity, I patched this to instead use repeated Client and Entity
objects in the ACL messages, and changed the repeated 'values' to an optional
value.
The benefit: Consistency between 'type' and 'value' both being singular.
The drawback: Verbosity.
JSON:
[ RUN ] AuthorizationTest.AnyPrincipalRunAsUser
I0326 10:44:43.700340 9036 authorizer.hpp:262]
{"runs":[{"principals":[{"type":"ANY"}],"users":[{"value":"guest"}]}]}
[ RUN ] AuthorizationTest.NoPrincipalRunAsUser
I0326 10:44:43.702419 9036 authorizer.hpp:262]
{"runs":[{"principals":[{"type":"NONE"}],"users":[{"value":"root"}]}]}
[ RUN ] AuthorizationTest.PrincipalRunAsAnyUser
I0326 10:44:43.702764 9036 authorizer.hpp:262]
{"runs":[{"principals":[{"value":"foo"}],"users":[{"type":"ANY"}]}]}
[ RUN ] AuthorizationTest.AnyPrincipalRunAsAnyUser
I0326 10:44:43.703035 9036 authorizer.hpp:262]
{"runs":[{"principals":[{"type":"ANY"}],"users":[{"type":"ANY"}]}]}
[ RUN ] AuthorizationTest.SomePrincipalsRunAsSomeUsers
I0326 10:44:43.703289 9036 authorizer.hpp:262]
{"runs":[{"principals":[{"value":"foo"},{"value":"bar"}],"users":[{"value":"user1"},{"value":"user2"}]}]}
[ RUN ] AuthorizationTest.PrincipalRunAsSomeUserRestrictive
I0326 10:44:43.703522 9036 authorizer.hpp:262]
{"permissive":false,"runs":[{"principals":[{"value":"foo"}],"users":[{"value":"user1"}]}]}
[ RUN ] AuthorizationTest.AnyPrincipalOfferedRole
I0326 10:44:43.703752 9036 authorizer.hpp:262]
{"offers":[{"principals":[{"type":"ANY"}],"roles":[{"value":"*"}]}]}
[ RUN ] AuthorizationTest.SomePrincipalsOfferedRole
I0326 10:44:43.703971 9036 authorizer.hpp:262]
{"offers":[{"principals":[{"value":"foo"},{"value":"bar"}],"roles":[{"value":"ads"}]}]}
[ RUN ] AuthorizationTest.PrincipalOfferedRole
I0326 10:44:43.704205 9036 authorizer.hpp:262]
{"offers":[{"principals":[{"value":"foo"}],"roles":[{"value":"analytics"}]}]}
[ RUN ] AuthorizationTest.PrincipalNotOfferedAnyRoleRestrictive
I0326 10:44:43.704409 9036 authorizer.hpp:262]
{"offers":[{"principals":[{"value":"foo"}],"roles":[{"value":"analytics"}]}],"permissive":false}
[ RUN ] AuthorizationTest.AnyClientGETSomeURL
I0326 10:44:43.704653 9036 authorizer.hpp:262]
{"gets":[{"clients":[{"type":"ANY"}],"urls":[{"value":"\/help"}]}]}
[ RUN ] AuthorizationTest.SomeClientsPUTSomeURL
I0326 10:44:43.704908 9036 authorizer.hpp:262]
{"puts":[{"clients":[{"value":"127.0.0.1"},{"value":"localhost"}],"urls":[{"value":"\/admin"}]}]}
[ RUN ] AuthorizationTest.NoClientGETPUTSomeURL
I0326 10:44:43.705157 9036 authorizer.hpp:262]
{"gets":[{"clients":[{"type":"NONE"}],"urls":[{"value":"\/sshhh"}]}],"puts":[{"clients":[{"type":"NONE"}],"urls":[{"value":"\/sshhh"}]}]}
[ RUN ] AuthorizationTest.SomeClientsCannotGETAnyURL
I0326 10:44:43.705448 9036 authorizer.hpp:262]
{"gets":[{"clients":[{"value":"127.0.0.1"},{"value":"localhost"}],"urls":[{"type":"NONE"}]}]}
[ RUN ] AuthorizationTest.NoClientsCanGETPUTAnyURLRestrictive
I0326 10:44:43.705708 9036 authorizer.hpp:262] {"permissive":false}
- Dominic
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/18730/#review38304
-----------------------------------------------------------
On March 21, 2014, 4:44 p.m., Vinod Kone wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/18730/
> -----------------------------------------------------------
>
> (Updated March 21, 2014, 4:44 p.m.)
>
>
> Review request for mesos, Adam B, Benjamin Hindman, and Niklas Nielsen.
>
>
> Bugs: MESOS-911
> https://issues.apache.org/jira/browse/MESOS-911
>
>
> Repository: mesos-git
>
>
> Description
> -------
>
> See summary.
>
>
> Diffs
> -----
>
> include/mesos/mesos.proto 37f8a7fcd23d467b1274c46c405b836510afbd49
> src/Makefile.am 0775a0df293e945d41c7ba90fd1bbb503ae22f9e
> src/authorizer/authorizer.hpp PRE-CREATION
> src/tests/authorization_tests.cpp PRE-CREATION
> src/tests/master_contender_detector_tests.cpp
> 8da7420e18c7a960b566fae13a5975857eb777ee
>
> Diff: https://reviews.apache.org/r/18730/diff/
>
>
> Testing
> -------
>
> make check
>
>
> Thanks,
>
> Vinod Kone
>
>
