Re: mesos git commit: Added documentation for access_sandboxes and access_mesos_logs acls.

Mon, 06 Jun 2016 05:37:06 -0700 

FYI, this commit should have included the changes produced by
re-running the `generate-endpoint.py` script.

Neil

On Wed, Jun 1, 2016 at 8:26 AM,  <[email protected]> wrote:
> Repository: mesos
> Updated Branches:
>   refs/heads/master 5263a6211 -> 53b5164bb
>
>
> Added documentation for access_sandboxes and access_mesos_logs acls.
>
> Modifies the file `acls.proto` to take into consideration the added
> authorization actions `access_sandboxes` and `access_mesos_logs`.
>
> Review: https://reviews.apache.org/r/48048/
>
>
> Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
> Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/53b5164b
> Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/53b5164b
> Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/53b5164b
>
> Branch: refs/heads/master
> Commit: 53b5164bb51ebe850dec5ab19b8382f5c4a59391
> Parents: 5263a62
> Author: Alexander Rojas <[email protected]>
> Authored: Tue May 31 23:20:50 2016 -0700
> Committer: Adam B <[email protected]>
> Committed: Tue May 31 23:24:55 2016 -0700
>
> ----------------------------------------------------------------------
>  docs/authorization.md |  2 ++
>  src/files/files.cpp   | 34 +++++++++++++++++++++++++++++++---
>  2 files changed, 33 insertions(+), 3 deletions(-)
> ----------------------------------------------------------------------
>
>
> http://git-wip-us.apache.org/repos/asf/mesos/blob/53b5164b/docs/authorization.md
> ----------------------------------------------------------------------
> diff --git a/docs/authorization.md b/docs/authorization.md
> index 0e58b9b..189b70d 100644
> --- a/docs/authorization.md
> +++ b/docs/authorization.md
> @@ -131,6 +131,8 @@ entries, each representing an authorizable action:
>  |`view_framework`|UNIX user of whom executors can be 
> viewed.|`Framework_Info` which can be viewed.|Filtering http endpoints.|
>  |`view_executor`|UNIX user of whom executors can be viewed.|`Executor_Info` 
> and `Framework_Info` which can be viewed.|Filtering http endpoints.|
>  |`view_task`|UNIX user of whom tasks can be viewed.|(`Task` or `Task_Info`) 
> and `Framework_Info` which can be viewed.|Filtering http endpoints.|
> +|`access_sandboxes`|Operator username.|Operating system user whose 
> executor/task sandboxes can be accessed.|Access task sandboxes.|
> +|`access_mesos_logs`|Operator username.|Implicitly given. A user should only 
> use types ANY and NONE to allow/deny access to the log.|Access Mesos logs.|
>
>  ### Examples
>
>
> http://git-wip-us.apache.org/repos/asf/mesos/blob/53b5164b/src/files/files.cpp
> ----------------------------------------------------------------------
> diff --git a/src/files/files.cpp b/src/files/files.cpp
> index 873664d..094a00c 100644
> --- a/src/files/files.cpp
> +++ b/src/files/files.cpp
> @@ -57,6 +57,7 @@
>  using namespace process;
>
>  using process::AUTHENTICATION;
> +using process::AUTHORIZATION;
>  using process::DESCRIPTION;
>  using process::HELP;
>  using process::TLDR;
> @@ -295,7 +296,16 @@ const string FilesProcess::BROWSE_HELP = HELP(
>          "Query parameters:",
>          "",
>          ">        path=VALUE          The path of directory to browse."),
> -    AUTHENTICATION(true));
> +    AUTHENTICATION(true),
> +    AUTHORIZATION(
> +        "Browsing files requires that the request principal is ",
> +        "authorized to do so for the target virtual file path.",
> +        "",
> +        "Authorizers may categorize different virtual paths into",
> +        "different ACLs, e.g. logs in one and task sandboxes in",
> +        "another.",
> +        "",
> +        "See authorization documentation for details."));
>
>
>  Future<bool> FilesProcess::authorize(
> @@ -409,7 +419,16 @@ const string FilesProcess::READ_HELP = HELP(
>          ">        offset=VALUE        Value added to base address to obtain "
>          "a second address",
>          ">        length=VALUE        Length of file to read."),
> -    AUTHENTICATION(true));
> +    AUTHENTICATION(true),
> +    AUTHORIZATION(
> +        "Reading files requires that the request principal is ",
> +        "authorized to do so for the target virtual file path.",
> +        "",
> +        "Authorizers may categorize different virtual paths into",
> +        "different ACLs, e.g. logs in one and task sandboxes in",
> +        "another.",
> +        "",
> +        "See authorization documentation for details."));
>
>
>  Future<Response> FilesProcess::read(
> @@ -585,7 +604,16 @@ const string FilesProcess::DOWNLOAD_HELP = HELP(
>          "Query parameters:",
>          "",
>          ">        path=VALUE          The path of directory to browse."),
> -    AUTHENTICATION(true));
> +    AUTHENTICATION(true),
> +    AUTHORIZATION(
> +        "Downloading files requires that the request principal is ",
> +        "authorized to do so for the target virtual file path.",
> +        "",
> +        "Authorizers may categorize different virtual paths into",
> +        "different ACLs, e.g. logs in one and task sandboxes in",
> +        "another.",
> +        "",
> +        "See authorization documentation for details."));
>
>
>  Future<Response> FilesProcess::download(
>

Reply via email to