[
https://issues.apache.org/jira/browse/MESOS-7190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15930736#comment-15930736
]
Greg Mann commented on MESOS-7190:
----------------------------------
I'm actually not so sure about this. Callsites which don't do
authorization-based filtering, but which simply need a boolean authorization
result, are much cleaner when using {{authorized()}}.
I think that instead of eliminating the {{authorized()}} method entirely, we
could provide an implementation as a member-function of the {{Authorizer}} base
class. It could make use of the local authorizer's [current
implementation|https://github.com/apache/mesos/blob/62161ac4416323b7373cc5e2a63b285f6f510d11/src/authorizer/local/authorizer.cpp#L628-L643]
to accomplish this functionality using {{getObjectApprover}}. In this way,
modules would only need to implement {{getObjectApprover}}, and the base class
could provide an {{authorized()}} helper to keep the callsites clean.
cc [~arojas] [~adam-mesos] [~tillt]
> Update endpoint handlers to use 'ObjectApprover'
> ------------------------------------------------
>
> Key: MESOS-7190
> URL: https://issues.apache.org/jira/browse/MESOS-7190
> Project: Mesos
> Issue Type: Improvement
> Components: security
> Reporter: Greg Mann
> Labels: authorization, mesosphere, security
>
> The {{ObjectApprover}}-based interface for the authorizer has been
> introduced, but not all handlers make use of this new functionality (i.e.,
> {{Slave::Http::flags()}}. We should consider migrating all authorization code
> to use {{getObjectApprover}}, and deprecating the older {{authorized()}}
> interface.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
