[
https://issues.apache.org/jira/browse/MESOS-5746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg Mann updated MESOS-5746:
-----------------------------
Description:
I ran Mesos master with this script:
{code}
#! /usr/bin/env bash
rm -rf /tmp/mesos/*
cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF
cat <<EOF > /tmp/acls.json
{
"permissive": false,
"access_mesos_logs" : [
{
"principals" : { "values" : ["foo"] },
"logs" : { "type" : "ANY" }
}
],
"register_frameworks" : [
{
"principals" : { "values" : ["foo"] },
"roles" : { "type" : "ANY" }
}
],
"run_tasks" : [
{
"principals" : { "values" : ["foo"] },
"users" : { "type" : "ANY" }
}
],
"get_endpoints" : [
{
"principals" : { "values" : ["foo"] },
"paths" : { "type" : "ANY" }
}
],
"view_frameworks" : [
{
"principals" : { "values" : ["foo"] },
"users" : { "type" : "ANY" }
}
],
"view_tasks" : [
{
"principals" : { "values" : ["foo"] },
"users" : { "type" : "ANY" }
}
],
"view_executors" : [
{
"principals" : { "values" : ["foo"] },
"users" : { "type" : "ANY" }
}
],
"access_sandboxes" : [
{
"principals" : { "values" : ["foo"] },
"users" : { "type" : "ANY" }
}
],
"access_mesos_logs" : [
{
"principals" : { "values" : ["foo"] },
"logs" : { "type" : "ANY" }
}
],
"get_quotas" : [
{
"principals" : { "values" : ["foo"] },
"roles" : { "type" : "ANY" }
}
]
}
EOF
export GLOG_v=2
export MESOS_VERBOSE=1
./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
--authenticate_http \
--credentials=file:///tmp/credentials.txt \
--acls=file:///tmp/acls.json \
--log_dir=/tmp/mesos/logs/master
{code}
and ran the agent with this script:
{code}
#! /usr/bin/env bash
cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF
cat <<EOF > /tmp/acls.json
{
"permissive": false,
"access_mesos_log" : [
{
"principals" : { "values" : ["foo"] },
"logs" : { "type" : "ANY" }
}
]
}
EOF
export GLOG_v=2
export MESOS_VERBOSE=1
./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \
--master=127.0.0.1:5050 \
--authenticate_http \
--http_credentials=file:///tmp/credentials.txt \
--acls=file:///tmp/acls.json \
--log_dir=/tmp/mesos/logs/agent
{code}
And then ran the long-lived framework with {{src/long-lived-framework
--master=127.0.0.1:5050 --principal=foo --secret=bar}}. When attempting to
click on "Sandbox" links in the Mesos web UI, I see the error {{Framework with
ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-0000' does not exist on agent with ID
'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-S0'.}} (screenshot attached). Looking at
Chrome devtools, I don't see any non-200 return codes in HTTP responses. Each
click on "Sandbox" produces a single request to the agent's {{/state}}
endpoint, which returns 200 OK.
I verified that the sandbox links work as expected when authorization is not
enabled.
was:
I ran Mesos master with this script:
{code}
#! /usr/bin/env bash
rm -rf /tmp/mesos/*
cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF
cat <<EOF > /tmp/acls.json
{
"permissive": false,
"access_mesos_logs" : [
{
"principals" : { "values" : ["foo"] },
"logs" : { "type" : "ANY" }
}
],
"register_frameworks" : [
{
"principals" : { "values" : ["foo"] },
"roles" : { "type" : "ANY" }
}
],
"run_tasks" : [
{
"principals" : { "values" : ["foo"] },
"users" : { "type" : "ANY" }
}
],
"get_endpoints" : [
{
"principals" : { "values" : ["foo"] },
"paths" : { "type" : "ANY" }
}
],
"view_frameworks" : [
{
"principals" : { "values" : ["foo"] },
"users" : { "type" : "ANY" }
}
],
"view_tasks" : [
{
"principals" : { "values" : ["foo"] },
"users" : { "type" : "ANY" }
}
],
"view_executors" : [
{
"principals" : { "values" : ["foo"] },
"users" : { "type" : "ANY" }
}
],
"access_sandboxes" : [
{
"principals" : { "values" : ["foo"] },
"users" : { "type" : "ANY" }
}
],
"access_mesos_logs" : [
{
"principals" : { "values" : ["foo"] },
"logs" : { "type" : "ANY" }
}
],
"get_quotas" : [
{
"principals" : { "values" : ["foo"] },
"roles" : { "type" : "ANY" }
}
]
}
EOF
export GLOG_v=2
export MESOS_VERBOSE=1
./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
--authenticate_http \
--credentials=file:///tmp/credentials.txt \
--acls=file:///tmp/acls.json \
--log_dir=/tmp/mesos/logs/master
{code}
and ran the agent with this script:
{code}
#! /usr/bin/env bash
cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF
cat <<EOF > /tmp/acls.json
{
"permissive": false,
"access_mesos_log" : [
{
"principals" : { "values" : ["foo"] },
"logs" : { "type" : "ANY" }
}
]
}
EOF
export GLOG_v=2
export MESOS_VERBOSE=1
./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \
--master=127.0.0.1:5050 \
--authenticate_http \
--http_credentials=file:///tmp/credentials.txt \
--acls=file:///tmp/acls.json \
--log_dir=/tmp/mesos/logs/agent
{code}
And then ran the long-lived framework with {{src/long-lived-framework
--master=127.0.0.1:5050 --principal=foo --secret=bar}}. When attempting to
click on "Sandbox" links in the Mesos web UI, I see the error {{Framework with
ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-0000' does not exist on agent with ID
'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-S0'.
}} (screenshot attached). Looking at Chrome devtools, I don't see any non-200
return codes in HTTP responses. Each click on "Sandbox" produces a single
request to the agent's {{/state}} endpoint, which returns 200 OK.
I verified that the sandbox links work as expected when authorization is not
enabled.
> Sandbox links are broken in authorized cluster
> ----------------------------------------------
>
> Key: MESOS-5746
> URL: https://issues.apache.org/jira/browse/MESOS-5746
> Project: Mesos
> Issue Type: Bug
> Affects Versions: 1.0.0
> Reporter: Greg Mann
> Labels: authorization, mesosphere, security
>
> I ran Mesos master with this script:
> {code}
> #! /usr/bin/env bash
> rm -rf /tmp/mesos/*
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> cat <<EOF > /tmp/acls.json
> {
> "permissive": false,
> "access_mesos_logs" : [
> {
> "principals" : { "values" : ["foo"] },
> "logs" : { "type" : "ANY" }
> }
> ],
> "register_frameworks" : [
> {
> "principals" : { "values" : ["foo"] },
> "roles" : { "type" : "ANY" }
> }
> ],
> "run_tasks" : [
> {
> "principals" : { "values" : ["foo"] },
> "users" : { "type" : "ANY" }
> }
> ],
> "get_endpoints" : [
> {
> "principals" : { "values" : ["foo"] },
> "paths" : { "type" : "ANY" }
> }
> ],
> "view_frameworks" : [
> {
> "principals" : { "values" : ["foo"] },
> "users" : { "type" : "ANY" }
> }
> ],
> "view_tasks" : [
> {
> "principals" : { "values" : ["foo"] },
> "users" : { "type" : "ANY" }
> }
> ],
> "view_executors" : [
> {
> "principals" : { "values" : ["foo"] },
> "users" : { "type" : "ANY" }
> }
> ],
> "access_sandboxes" : [
> {
> "principals" : { "values" : ["foo"] },
> "users" : { "type" : "ANY" }
> }
> ],
> "access_mesos_logs" : [
> {
> "principals" : { "values" : ["foo"] },
> "logs" : { "type" : "ANY" }
> }
> ],
> "get_quotas" : [
> {
> "principals" : { "values" : ["foo"] },
> "roles" : { "type" : "ANY" }
> }
> ]
> }
> EOF
> export GLOG_v=2
> export MESOS_VERBOSE=1
> ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
> --authenticate_http \
> --credentials=file:///tmp/credentials.txt \
> --acls=file:///tmp/acls.json \
> --log_dir=/tmp/mesos/logs/master
> {code}
> and ran the agent with this script:
> {code}
> #! /usr/bin/env bash
> cat <<EOF > /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> cat <<EOF > /tmp/acls.json
> {
> "permissive": false,
> "access_mesos_log" : [
> {
> "principals" : { "values" : ["foo"] },
> "logs" : { "type" : "ANY" }
> }
> ]
> }
> EOF
> export GLOG_v=2
> export MESOS_VERBOSE=1
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \
> --master=127.0.0.1:5050 \
> --authenticate_http \
> --http_credentials=file:///tmp/credentials.txt \
> --acls=file:///tmp/acls.json \
> --log_dir=/tmp/mesos/logs/agent
> {code}
> And then ran the long-lived framework with {{src/long-lived-framework
> --master=127.0.0.1:5050 --principal=foo --secret=bar}}. When attempting to
> click on "Sandbox" links in the Mesos web UI, I see the error {{Framework
> with ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-0000' does not exist on agent
> with ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-S0'.}} (screenshot attached).
> Looking at Chrome devtools, I don't see any non-200 return codes in HTTP
> responses. Each click on "Sandbox" produces a single request to the agent's
> {{/state}} endpoint, which returns 200 OK.
> I verified that the sandbox links work as expected when authorization is not
> enabled.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
