[
https://issues.apache.org/jira/browse/MESOS-5628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15334837#comment-15334837
]
Michael Park edited comment on MESOS-5628 at 6/16/16 10:33 PM:
---------------------------------------------------------------
https://reviews.apache.org/r/48039
https://reviews.apache.org/r/48038/
https://reviews.apache.org/r/48040/
was (Author: mcypark):
https://reviews.apache.org/r/48039
> `QuotaHandler` should only make one authorization request to the authorizer.
> ----------------------------------------------------------------------------
>
> Key: MESOS-5628
> URL: https://issues.apache.org/jira/browse/MESOS-5628
> Project: Mesos
> Issue Type: Task
> Reporter: Michael Park
> Assignee: Michael Park
> Labels: mesosphere
>
> Currently, the {{QuotaHandler}} makes two authorization requests to the
> authorizer. For example, {{SetQuota}} and {{UpdateQuota}}. It then uses the
> following loop to determine its behavior.
> {code}
> foreach (bool authorized, authorizeResults) {
> if (!authorized) {
> return Forbidden();
> }
> }
> return _set(quotaInfo, forced);
> {code}
> This depends on the fact that {{LocalAuthorizer::authorized}} returns
> {{true}} when it receives a request it does not support. Considering that
> {{true}} as an answer to {{authorized}} means authorized, this is clearly
> incorrect. In general, this type of global invariant is difficult to keep in
> sync and correct.
> Another issue is that a seemingly innocent transformation of this loop would
> break the logic:
> {code}
> foreach (bool authorized, authorizeResults) {
> if (authorized) {
> return _set(quotaInfo, forced);
> }
> }
> return Forbidden();
> {code}
> Attempting to make multiple requests to the authorizer for an action and
> trying to combine the results is complicated. It would be much simpler to
> make one request per action.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
