Good point. Vinod was working on the endpoints script right next to me, but I guess he did his pre-release run before I committed Alexander's change. We'll have to do another run before rc2.
On Mon, Jun 6, 2016 at 5:36 AM, Neil Conway <neil.con...@gmail.com> wrote: > FYI, this commit should have included the changes produced by > re-running the `generate-endpoint.py` script. > > Neil > > On Wed, Jun 1, 2016 at 8:26 AM, <m...@apache.org> wrote: > > Repository: mesos > > Updated Branches: > > refs/heads/master 5263a6211 -> 53b5164bb > > > > > > Added documentation for access_sandboxes and access_mesos_logs acls. > > > > Modifies the file `acls.proto` to take into consideration the added > > authorization actions `access_sandboxes` and `access_mesos_logs`. > > > > Review: https://reviews.apache.org/r/48048/ > > > > > > Project: http://git-wip-us.apache.org/repos/asf/mesos/repo > > Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/53b5164b > > Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/53b5164b > > Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/53b5164b > > > > Branch: refs/heads/master > > Commit: 53b5164bb51ebe850dec5ab19b8382f5c4a59391 > > Parents: 5263a62 > > Author: Alexander Rojas <alexan...@mesosphere.io> > > Authored: Tue May 31 23:20:50 2016 -0700 > > Committer: Adam B <a...@mesosphere.io> > > Committed: Tue May 31 23:24:55 2016 -0700 > > > > ---------------------------------------------------------------------- > > docs/authorization.md | 2 ++ > > src/files/files.cpp | 34 +++++++++++++++++++++++++++++++--- > > 2 files changed, 33 insertions(+), 3 deletions(-) > > ---------------------------------------------------------------------- > > > > > > > http://git-wip-us.apache.org/repos/asf/mesos/blob/53b5164b/docs/authorization.md > > ---------------------------------------------------------------------- > > diff --git a/docs/authorization.md b/docs/authorization.md > > index 0e58b9b..189b70d 100644 > > --- a/docs/authorization.md > > +++ b/docs/authorization.md > > @@ -131,6 +131,8 @@ entries, each representing an authorizable action: > > |`view_framework`|UNIX user of whom executors can be > viewed.|`Framework_Info` which can be viewed.|Filtering http endpoints.| > > |`view_executor`|UNIX user of whom executors can be > viewed.|`Executor_Info` and `Framework_Info` which can be viewed.|Filtering > http endpoints.| > > |`view_task`|UNIX user of whom tasks can be viewed.|(`Task` or > `Task_Info`) and `Framework_Info` which can be viewed.|Filtering http > endpoints.| > > +|`access_sandboxes`|Operator username.|Operating system user whose > executor/task sandboxes can be accessed.|Access task sandboxes.| > > +|`access_mesos_logs`|Operator username.|Implicitly given. A user should > only use types ANY and NONE to allow/deny access to the log.|Access Mesos > logs.| > > > > ### Examples > > > > > > > http://git-wip-us.apache.org/repos/asf/mesos/blob/53b5164b/src/files/files.cpp > > ---------------------------------------------------------------------- > > diff --git a/src/files/files.cpp b/src/files/files.cpp > > index 873664d..094a00c 100644 > > --- a/src/files/files.cpp > > +++ b/src/files/files.cpp > > @@ -57,6 +57,7 @@ > > using namespace process; > > > > using process::AUTHENTICATION; > > +using process::AUTHORIZATION; > > using process::DESCRIPTION; > > using process::HELP; > > using process::TLDR; > > @@ -295,7 +296,16 @@ const string FilesProcess::BROWSE_HELP = HELP( > > "Query parameters:", > > "", > > "> path=VALUE The path of directory to > browse."), > > - AUTHENTICATION(true)); > > + AUTHENTICATION(true), > > + AUTHORIZATION( > > + "Browsing files requires that the request principal is ", > > + "authorized to do so for the target virtual file path.", > > + "", > > + "Authorizers may categorize different virtual paths into", > > + "different ACLs, e.g. logs in one and task sandboxes in", > > + "another.", > > + "", > > + "See authorization documentation for details.")); > > > > > > Future<bool> FilesProcess::authorize( > > @@ -409,7 +419,16 @@ const string FilesProcess::READ_HELP = HELP( > > "> offset=VALUE Value added to base address to > obtain " > > "a second address", > > "> length=VALUE Length of file to read."), > > - AUTHENTICATION(true)); > > + AUTHENTICATION(true), > > + AUTHORIZATION( > > + "Reading files requires that the request principal is ", > > + "authorized to do so for the target virtual file path.", > > + "", > > + "Authorizers may categorize different virtual paths into", > > + "different ACLs, e.g. logs in one and task sandboxes in", > > + "another.", > > + "", > > + "See authorization documentation for details.")); > > > > > > Future<Response> FilesProcess::read( > > @@ -585,7 +604,16 @@ const string FilesProcess::DOWNLOAD_HELP = HELP( > > "Query parameters:", > > "", > > "> path=VALUE The path of directory to > browse."), > > - AUTHENTICATION(true)); > > + AUTHENTICATION(true), > > + AUTHORIZATION( > > + "Downloading files requires that the request principal is ", > > + "authorized to do so for the target virtual file path.", > > + "", > > + "Authorizers may categorize different virtual paths into", > > + "different ACLs, e.g. logs in one and task sandboxes in", > > + "another.", > > + "", > > + "See authorization documentation for details.")); > > > > > > Future<Response> FilesProcess::download( > > >
