[ https://issues.apache.org/jira/browse/MESOS-5746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Greg Mann updated MESOS-5746: ----------------------------- Description: I ran Mesos master with this script: {code} #! /usr/bin/env bash rm -rf /tmp/mesos/* cat <<EOF > /tmp/credentials.txt foo bar baz bar EOF cat <<EOF > /tmp/acls.json { "permissive": false, "access_mesos_logs" : [ { "principals" : { "values" : ["foo"] }, "logs" : { "type" : "ANY" } } ], "register_frameworks" : [ { "principals" : { "values" : ["foo"] }, "roles" : { "type" : "ANY" } } ], "run_tasks" : [ { "principals" : { "values" : ["foo"] }, "users" : { "type" : "ANY" } } ], "get_endpoints" : [ { "principals" : { "values" : ["foo"] }, "paths" : { "type" : "ANY" } } ], "view_frameworks" : [ { "principals" : { "values" : ["foo"] }, "users" : { "type" : "ANY" } } ], "view_tasks" : [ { "principals" : { "values" : ["foo"] }, "users" : { "type" : "ANY" } } ], "view_executors" : [ { "principals" : { "values" : ["foo"] }, "users" : { "type" : "ANY" } } ], "access_sandboxes" : [ { "principals" : { "values" : ["foo"] }, "users" : { "type" : "ANY" } } ], "access_mesos_logs" : [ { "principals" : { "values" : ["foo"] }, "logs" : { "type" : "ANY" } } ], "get_quotas" : [ { "principals" : { "values" : ["foo"] }, "roles" : { "type" : "ANY" } } ] } EOF export GLOG_v=2 export MESOS_VERBOSE=1 ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \ --authenticate_http \ --credentials=file:///tmp/credentials.txt \ --acls=file:///tmp/acls.json \ --log_dir=/tmp/mesos/logs/master {code} and ran the agent with this script: {code} #! /usr/bin/env bash cat <<EOF > /tmp/credentials.txt foo bar baz bar EOF cat <<EOF > /tmp/acls.json { "permissive": false, "access_mesos_log" : [ { "principals" : { "values" : ["foo"] }, "logs" : { "type" : "ANY" } } ] } EOF export GLOG_v=2 export MESOS_VERBOSE=1 ./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \ --master=127.0.0.1:5050 \ --authenticate_http \ --http_credentials=file:///tmp/credentials.txt \ --acls=file:///tmp/acls.json \ --log_dir=/tmp/mesos/logs/agent {code} And then ran the long-lived framework with {{src/long-lived-framework --master=127.0.0.1:5050 --principal=foo --secret=bar}}. When attempting to click on "Sandbox" links in the Mesos web UI, I see the error {{Framework with ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-0000' does not exist on agent with ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-S0'.}} (screenshot attached). Looking at Chrome devtools, I don't see any non-200 return codes in HTTP responses. Each click on "Sandbox" produces a single request to the agent's {{/state}} endpoint, which returns 200 OK. I verified that the sandbox links work as expected when authorization is not enabled. was: I ran Mesos master with this script: {code} #! /usr/bin/env bash rm -rf /tmp/mesos/* cat <<EOF > /tmp/credentials.txt foo bar baz bar EOF cat <<EOF > /tmp/acls.json { "permissive": false, "access_mesos_logs" : [ { "principals" : { "values" : ["foo"] }, "logs" : { "type" : "ANY" } } ], "register_frameworks" : [ { "principals" : { "values" : ["foo"] }, "roles" : { "type" : "ANY" } } ], "run_tasks" : [ { "principals" : { "values" : ["foo"] }, "users" : { "type" : "ANY" } } ], "get_endpoints" : [ { "principals" : { "values" : ["foo"] }, "paths" : { "type" : "ANY" } } ], "view_frameworks" : [ { "principals" : { "values" : ["foo"] }, "users" : { "type" : "ANY" } } ], "view_tasks" : [ { "principals" : { "values" : ["foo"] }, "users" : { "type" : "ANY" } } ], "view_executors" : [ { "principals" : { "values" : ["foo"] }, "users" : { "type" : "ANY" } } ], "access_sandboxes" : [ { "principals" : { "values" : ["foo"] }, "users" : { "type" : "ANY" } } ], "access_mesos_logs" : [ { "principals" : { "values" : ["foo"] }, "logs" : { "type" : "ANY" } } ], "get_quotas" : [ { "principals" : { "values" : ["foo"] }, "roles" : { "type" : "ANY" } } ] } EOF export GLOG_v=2 export MESOS_VERBOSE=1 ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \ --authenticate_http \ --credentials=file:///tmp/credentials.txt \ --acls=file:///tmp/acls.json \ --log_dir=/tmp/mesos/logs/master {code} and ran the agent with this script: {code} #! /usr/bin/env bash cat <<EOF > /tmp/credentials.txt foo bar baz bar EOF cat <<EOF > /tmp/acls.json { "permissive": false, "access_mesos_log" : [ { "principals" : { "values" : ["foo"] }, "logs" : { "type" : "ANY" } } ] } EOF export GLOG_v=2 export MESOS_VERBOSE=1 ./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \ --master=127.0.0.1:5050 \ --authenticate_http \ --http_credentials=file:///tmp/credentials.txt \ --acls=file:///tmp/acls.json \ --log_dir=/tmp/mesos/logs/agent {code} And then ran the long-lived framework with {{src/long-lived-framework --master=127.0.0.1:5050 --principal=foo --secret=bar}}. When attempting to click on "Sandbox" links in the Mesos web UI, I see the error {{Framework with ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-0000' does not exist on agent with ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-S0'. }} (screenshot attached). Looking at Chrome devtools, I don't see any non-200 return codes in HTTP responses. Each click on "Sandbox" produces a single request to the agent's {{/state}} endpoint, which returns 200 OK. I verified that the sandbox links work as expected when authorization is not enabled. > Sandbox links are broken in authorized cluster > ---------------------------------------------- > > Key: MESOS-5746 > URL: https://issues.apache.org/jira/browse/MESOS-5746 > Project: Mesos > Issue Type: Bug > Affects Versions: 1.0.0 > Reporter: Greg Mann > Labels: authorization, mesosphere, security > > I ran Mesos master with this script: > {code} > #! /usr/bin/env bash > rm -rf /tmp/mesos/* > cat <<EOF > /tmp/credentials.txt > foo bar > baz bar > EOF > cat <<EOF > /tmp/acls.json > { > "permissive": false, > "access_mesos_logs" : [ > { > "principals" : { "values" : ["foo"] }, > "logs" : { "type" : "ANY" } > } > ], > "register_frameworks" : [ > { > "principals" : { "values" : ["foo"] }, > "roles" : { "type" : "ANY" } > } > ], > "run_tasks" : [ > { > "principals" : { "values" : ["foo"] }, > "users" : { "type" : "ANY" } > } > ], > "get_endpoints" : [ > { > "principals" : { "values" : ["foo"] }, > "paths" : { "type" : "ANY" } > } > ], > "view_frameworks" : [ > { > "principals" : { "values" : ["foo"] }, > "users" : { "type" : "ANY" } > } > ], > "view_tasks" : [ > { > "principals" : { "values" : ["foo"] }, > "users" : { "type" : "ANY" } > } > ], > "view_executors" : [ > { > "principals" : { "values" : ["foo"] }, > "users" : { "type" : "ANY" } > } > ], > "access_sandboxes" : [ > { > "principals" : { "values" : ["foo"] }, > "users" : { "type" : "ANY" } > } > ], > "access_mesos_logs" : [ > { > "principals" : { "values" : ["foo"] }, > "logs" : { "type" : "ANY" } > } > ], > "get_quotas" : [ > { > "principals" : { "values" : ["foo"] }, > "roles" : { "type" : "ANY" } > } > ] > } > EOF > export GLOG_v=2 > export MESOS_VERBOSE=1 > ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \ > --authenticate_http \ > --credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json \ > --log_dir=/tmp/mesos/logs/master > {code} > and ran the agent with this script: > {code} > #! /usr/bin/env bash > cat <<EOF > /tmp/credentials.txt > foo bar > baz bar > EOF > cat <<EOF > /tmp/acls.json > { > "permissive": false, > "access_mesos_log" : [ > { > "principals" : { "values" : ["foo"] }, > "logs" : { "type" : "ANY" } > } > ] > } > EOF > export GLOG_v=2 > export MESOS_VERBOSE=1 > ./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \ > --master=127.0.0.1:5050 \ > --authenticate_http \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json \ > --log_dir=/tmp/mesos/logs/agent > {code} > And then ran the long-lived framework with {{src/long-lived-framework > --master=127.0.0.1:5050 --principal=foo --secret=bar}}. When attempting to > click on "Sandbox" links in the Mesos web UI, I see the error {{Framework > with ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-0000' does not exist on agent > with ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-S0'.}} (screenshot attached). > Looking at Chrome devtools, I don't see any non-200 return codes in HTTP > responses. Each click on "Sandbox" produces a single request to the agent's > {{/state}} endpoint, which returns 200 OK. > I verified that the sandbox links work as expected when authorization is not > enabled. -- This message was sent by Atlassian JIRA (v6.3.4#6332)