[
https://issues.apache.org/jira/browse/MESOS-5153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15303834#comment-15303834
]
Adam B commented on MESOS-5153:
-------------------------------
commit bcdc1d151a0423593ea39411519165a1b6e900ff
Author: Alexander Rojas <[email protected]>
Date: Fri May 27 01:00:09 2016 -0700
Enabled authorization for sandboxes.
Enables authorization of the sandboxes using the callback function
parameter of `Files::attach()`.
It also adds relevant ACLs and support on the authorizer interface.
Review: https://reviews.apache.org/r/47795/
commit 62150e441540c93e3f7dcbaed98679bf81c14c94
Author: Alexander Rojas <[email protected]>
Date: Fri May 27 00:49:20 2016 -0700
Added authorization support for mesos::internal::Files.
Adds an optional parameter to the `mesos::internal::Files::attach()`
method. The type of this parameter is a callable object which returns
a future to a boolean and takes as parameter an optional string
representing a principal name.
The parameter is called, if set, whenever one of the routed endpoints
of the `Files` object is accessed through HTTP. If the callable object
returns a false boolean, then processing of the request is aborted
and a `403 Forbidden` response is returned.
Review: https://reviews.apache.org/r/47794/
> Sandboxes contents should be protected from unauthorized users
> --------------------------------------------------------------
>
> Key: MESOS-5153
> URL: https://issues.apache.org/jira/browse/MESOS-5153
> Project: Mesos
> Issue Type: Bug
> Components: security, slave
> Reporter: Alexander Rojas
> Assignee: Alexander Rojas
> Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> MESOS-4956 introduced authentication support for the sandboxes. However,
> authentication can only go as far as to tell whether an user is known to
> mesos or not. An extra additional step is necessary to verify whether the
> known user is allowed to executed the requested operation on the sandbox
> (browse, read, download, debug).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)