Yan Xu created MESOS-7257:
-----------------------------
Summary: LocalAuthorizer handles request subject being NONE which
never happens
Key: MESOS-7257
URL: https://issues.apache.org/jira/browse/MESOS-7257
Project: Mesos
Issue Type: Bug
Reporter: Yan Xu
The {{approved}} method in the local authorizer deals with the request being
{{NONE}} or {{ANY}} according to these charts
{code:title=}
// Match matrix:
//
// -----------ACL----------
//
// SOME NONE ANY
// -------|-------|-------|-------
// | SOME | Yes/No| Yes | Yes
// | -------|-------|-------|-------
// Request NONE | No | Yes | No
// | -------|-------|-------|-------
// | ANY | No | Yes | Yes
// -------|-------|-------|-------
// Allow matrix:
//
// -----------ACL----------
//
// SOME NONE ANY
// -------|-------|-------|-------
// | SOME | Yes/No| No | Yes
// | -------|-------|-------|-------
// Request NONE | No | Yes | No
// | -------|-------|-------|-------
// | ANY | No | No | Yes
// -------|-------|-------|-------
{code}
However AFACIT there's not a case for the request to be {{NONE}} as the code
treats an none subject as {{ANY}}:
{code:title=}
// Construct subject.
if (subject_.isSome()) {
aclSubject.add_values(subject_->value());
aclSubject.set_type(mesos::ACL::Entity::SOME);
} else {
aclSubject.set_type(mesos::ACL::Entity::ANY);
}
{code}
If feels more appropriate to use {{ACL::Entity::NONE}} to mean the subject is
none but regardless of the choice, we don't seem to need both
{{ACL::Entity::NONE}} and {{ACL::Entity::ANY}} for the request?
If so the matrices in should probably just have two rows and the code can be
simplified.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
