[
https://issues.apache.org/jira/browse/MESOS-5628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Park updated MESOS-5628:
--------------------------------
Fix Version/s: 1.0.0
> `QuotaHandler` should only make one authorization request to the authorizer.
> ----------------------------------------------------------------------------
>
> Key: MESOS-5628
> URL: https://issues.apache.org/jira/browse/MESOS-5628
> Project: Mesos
> Issue Type: Task
> Reporter: Michael Park
> Assignee: Michael Park
> Labels: mesosphere
> Fix For: 1.0.0
>
>
> Currently, the {{QuotaHandler}} makes two authorization requests to the
> authorizer. For example, {{SetQuota}} and {{UpdateQuota}}. It then uses the
> following loop to determine its behavior.
> {code}
> foreach (bool authorized, authorizeResults) {
> if (!authorized) {
> return Forbidden();
> }
> }
> return _set(quotaInfo, forced);
> {code}
> This depends on the fact that {{LocalAuthorizer::authorized}} returns
> {{true}} when it receives a request it does not support. Considering that
> {{true}} as an answer to {{authorized}} means authorized, this is clearly
> incorrect. In general, this type of global invariant is difficult to keep in
> sync and correct.
> Another issue is that a seemingly innocent transformation of this loop would
> break the logic:
> {code}
> foreach (bool authorized, authorizeResults) {
> if (authorized) {
> return _set(quotaInfo, forced);
> }
> }
> return Forbidden();
> {code}
> Attempting to make multiple requests to the authorizer for an action and
> trying to combine the results is complicated. It would be much simpler to
> make one request per action.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
