> On March 24, 2014, 4:18 p.m., Benjamin Hindman wrote: > > include/mesos/mesos.proto, line 486 > > <https://reviews.apache.org/r/18730/diff/6/?file=532713#file532713line486> > > > > Can you share this in JSON so we can get an idea of what it looks like? > > Vinod Kone wrote: > I logged the JSON for each of the ACLs set in the tests. This is how it > looks: > > [ RUN ] AuthorizationTest.AnyPrincipalRunAsUser > I0325 01:28:10.681622 41814 authorization_tests.cpp:48] > {"runs":[{"principals":{"type":"ANY"},"users":{"values":["guest"]}}]} > > > [ RUN ] AuthorizationTest.NoPrincipalRunAsUser > I0325 01:28:10.684216 41814 authorization_tests.cpp:68] > {"runs":[{"principals":{"type":"NONE"},"users":{"values":["root"]}}]} > > > [ RUN ] AuthorizationTest.PrincipalRunAsAnyUser > I0325 01:28:10.685173 41814 authorization_tests.cpp:87] > {"runs":[{"principals":{"values":["foo"]},"users":{"type":"ANY"}}]} > > > [ RUN ] AuthorizationTest.AnyPrincipalRunAsAnyUser > I0325 01:28:10.687325 41814 authorization_tests.cpp:107] > {"runs":[{"principals":{"type":"ANY"},"users":{"type":"ANY"}}]} > > [ RUN ] AuthorizationTest.SomePrincipalsRunAsSomeUsers > I0325 01:28:10.688889 41814 authorization_tests.cpp:129] > {"runs":[{"principals":{"values":["foo","bar"]},"users":{"values":["user1","user2"]}}]} > > > [ RUN ] AuthorizationTest.PrincipalRunAsSomeUserRestrictive > I0325 01:28:10.692108 41814 authorization_tests.cpp:156] > {"permissive":false,"runs":[{"principals":{"values":["foo"]},"users":{"values":["user1"]}}]} > > > [ RUN ] AuthorizationTest.AnyPrincipalOfferedRole > I0325 01:28:10.693452 41814 authorization_tests.cpp:179] > {"offers":[{"principals":{"type":"ANY"},"roles":{"values":["*"]}}]} > > > [ RUN ] AuthorizationTest.SomePrincipalsOfferedRole > I0325 01:28:10.694710 41814 authorization_tests.cpp:200] > {"offers":[{"principals":{"values":["foo","bar"]},"roles":{"values":["ads"]}}]} > > [ RUN ] AuthorizationTest.PrincipalOfferedRole > I0325 01:28:10.695742 41814 authorization_tests.cpp:220] > {"offers":[{"principals":{"values":["foo"]},"roles":{"values":["analytics"]}}]} > > > [ RUN ] AuthorizationTest.PrincipalNotOfferedAnyRoleRestrictive > I0325 01:28:10.696688 41814 authorization_tests.cpp:243] > {"offers":[{"principals":{"values":["foo"]},"roles":{"values":["analytics"]}}],"permissive":false} > > > [ RUN ] AuthorizationTest.AnyClientGETSomeURL > I0325 01:28:10.697864 41814 authorization_tests.cpp:268] > {"gets":[{"clients":{"type":"ANY"},"urls":{"values":["\/help"]}}]} > > > [ RUN ] AuthorizationTest.SomeClientsPUTSomeURL > I0325 01:28:10.698837 41814 authorization_tests.cpp:289] > {"puts":[{"clients":{"values":["127.0.0.1","localhost"]},"urls":{"values":["\/admin"]}}]} > > > [ RUN ] AuthorizationTest.NoClientGETPUTSomeURL > I0325 01:28:10.700235 41814 authorization_tests.cpp:316] > {"gets":[{"clients":{"type":"NONE"},"urls":{"values":["\/sshhh"]}}],"puts":[{"clients":{"type":"NONE"},"urls":{"values":["\/sshhh"]}}]} > > > [ RUN ] AuthorizationTest.SomeClientsCannotGETAnyURL > I0325 01:28:10.701879 41814 authorization_tests.cpp:339] > {"gets":[{"clients":{"values":["127.0.0.1","localhost"]},"urls":{"type":"NONE"}}]} > > > [ RUN ] AuthorizationTest.NoClientsCanGETPUTAnyURLRestrictive > I0325 01:28:10.703636 41814 authorization_tests.cpp:359] > {"permissive":false} > > > Dominic Hamon wrote: > Out of curiousity, I patched this to instead use repeated Client and > Entity objects in the ACL messages, and changed the repeated 'values' to an > optional value. > > The benefit: Consistency between 'type' and 'value' both being singular. > The drawback: Verbosity. > > JSON: > > [ RUN ] AuthorizationTest.AnyPrincipalRunAsUser > I0326 10:44:43.700340 9036 authorizer.hpp:262] > {"runs":[{"principals":[{"type":"ANY"}],"users":[{"value":"guest"}]}]} > > [ RUN ] AuthorizationTest.NoPrincipalRunAsUser > I0326 10:44:43.702419 9036 authorizer.hpp:262] > {"runs":[{"principals":[{"type":"NONE"}],"users":[{"value":"root"}]}]} > > [ RUN ] AuthorizationTest.PrincipalRunAsAnyUser > I0326 10:44:43.702764 9036 authorizer.hpp:262] > {"runs":[{"principals":[{"value":"foo"}],"users":[{"type":"ANY"}]}]} > > [ RUN ] AuthorizationTest.AnyPrincipalRunAsAnyUser > I0326 10:44:43.703035 9036 authorizer.hpp:262] > {"runs":[{"principals":[{"type":"ANY"}],"users":[{"type":"ANY"}]}]} > > [ RUN ] AuthorizationTest.SomePrincipalsRunAsSomeUsers > I0326 10:44:43.703289 9036 authorizer.hpp:262] > {"runs":[{"principals":[{"value":"foo"},{"value":"bar"}],"users":[{"value":"user1"},{"value":"user2"}]}]} > > [ RUN ] AuthorizationTest.PrincipalRunAsSomeUserRestrictive > I0326 10:44:43.703522 9036 authorizer.hpp:262] > {"permissive":false,"runs":[{"principals":[{"value":"foo"}],"users":[{"value":"user1"}]}]} > > [ RUN ] AuthorizationTest.AnyPrincipalOfferedRole > I0326 10:44:43.703752 9036 authorizer.hpp:262] > {"offers":[{"principals":[{"type":"ANY"}],"roles":[{"value":"*"}]}]} > > [ RUN ] AuthorizationTest.SomePrincipalsOfferedRole > I0326 10:44:43.703971 9036 authorizer.hpp:262] > {"offers":[{"principals":[{"value":"foo"},{"value":"bar"}],"roles":[{"value":"ads"}]}]} > > [ RUN ] AuthorizationTest.PrincipalOfferedRole > I0326 10:44:43.704205 9036 authorizer.hpp:262] > {"offers":[{"principals":[{"value":"foo"}],"roles":[{"value":"analytics"}]}]} > > [ RUN ] AuthorizationTest.PrincipalNotOfferedAnyRoleRestrictive > I0326 10:44:43.704409 9036 authorizer.hpp:262] > {"offers":[{"principals":[{"value":"foo"}],"roles":[{"value":"analytics"}]}],"permissive":false} > > [ RUN ] AuthorizationTest.AnyClientGETSomeURL > I0326 10:44:43.704653 9036 authorizer.hpp:262] > {"gets":[{"clients":[{"type":"ANY"}],"urls":[{"value":"\/help"}]}]} > > [ RUN ] AuthorizationTest.SomeClientsPUTSomeURL > I0326 10:44:43.704908 9036 authorizer.hpp:262] > {"puts":[{"clients":[{"value":"127.0.0.1"},{"value":"localhost"}],"urls":[{"value":"\/admin"}]}]} > > [ RUN ] AuthorizationTest.NoClientGETPUTSomeURL > I0326 10:44:43.705157 9036 authorizer.hpp:262] > {"gets":[{"clients":[{"type":"NONE"}],"urls":[{"value":"\/sshhh"}]}],"puts":[{"clients":[{"type":"NONE"}],"urls":[{"value":"\/sshhh"}]}]} > > [ RUN ] AuthorizationTest.SomeClientsCannotGETAnyURL > I0326 10:44:43.705448 9036 authorizer.hpp:262] > {"gets":[{"clients":[{"value":"127.0.0.1"},{"value":"localhost"}],"urls":[{"type":"NONE"}]}]} > > [ RUN ] AuthorizationTest.NoClientsCanGETPUTAnyURLRestrictive > I0326 10:44:43.705708 9036 authorizer.hpp:262] {"permissive":false} > > >
Any chance you can change stringify() to be for human readable JSON (pretty printed)? We could add an explicit way to 'serialize' JSON for machines to read (no whitespace). Would be easier for us to read the JSON if you did this. - Ben ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/18730/#review38304 ----------------------------------------------------------- On March 21, 2014, 11:44 p.m., Vinod Kone wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/18730/ > ----------------------------------------------------------- > > (Updated March 21, 2014, 11:44 p.m.) > > > Review request for mesos, Adam B, Benjamin Hindman, and Niklas Nielsen. > > > Bugs: MESOS-911 > https://issues.apache.org/jira/browse/MESOS-911 > > > Repository: mesos-git > > > Description > ------- > > See summary. > > > Diffs > ----- > > include/mesos/mesos.proto 37f8a7fcd23d467b1274c46c405b836510afbd49 > src/Makefile.am 0775a0df293e945d41c7ba90fd1bbb503ae22f9e > src/authorizer/authorizer.hpp PRE-CREATION > src/tests/authorization_tests.cpp PRE-CREATION > src/tests/master_contender_detector_tests.cpp > 8da7420e18c7a960b566fae13a5975857eb777ee > > Diff: https://reviews.apache.org/r/18730/diff/ > > > Testing > ------- > > make check > > > Thanks, > > Vinod Kone > >
