[jira] [Commented] (MESOS-7257) LocalAuthorizer handles request subject being NONE which never happens

Tue, 04 Apr 2017 15:03:06 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-7257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15955940#comment-15955940
 ] 

Vinod Kone commented on MESOS-7257:
-----------------------------------

Sorry, just got around to this.

At the call site, if the subject is unknown (maybe because authN is not 
enabled) we want to ask the authorizer whether "ANY" subject is allowed to 
perform the action. If the answer is yes, then the unknown subject is allowed. 
I don't think it makes sense to ask the authorizer if "none" of the subjects 
are allowed in that case?

A request being "NONE" probably doesn't make sense, but IIRC I just added it 
for completeness. We can add a CHECK instead to disallow it if that makes the 
authorizer code much simpler.

> LocalAuthorizer handles request subject being NONE which never happens
> ----------------------------------------------------------------------
>
>                 Key: MESOS-7257
>                 URL: https://issues.apache.org/jira/browse/MESOS-7257
>             Project: Mesos
>          Issue Type: Bug
>            Reporter: Yan Xu
>
> The {{approved}} method in the local authorizer deals with the request being 
> {{NONE}} or {{ANY}} according to these charts
> {code:title=}
> // Match matrix:
> //
> //                  -----------ACL----------
> //
> //                    SOME    NONE    ANY
> //          -------|-------|-------|-------
> //  |        SOME  | Yes/No|  Yes  |   Yes
> //  |       -------|-------|-------|-------
> // Request   NONE  |  No   |  Yes  |   No
> //  |       -------|-------|-------|-------
> //  |        ANY   |  No   |  Yes  |   Yes
> //          -------|-------|-------|-------
> // Allow matrix:
> //
> //                 -----------ACL----------
> //
> //                    SOME    NONE    ANY
> //          -------|-------|-------|-------
> //  |        SOME  | Yes/No|  No   |   Yes
> //  |       -------|-------|-------|-------
> // Request   NONE  |  No   |  Yes  |   No
> //  |       -------|-------|-------|-------
> //  |        ANY   |  No   |  No   |   Yes
> //          -------|-------|-------|-------
> {code}
> However AFACIT there's not a case for the request to be {{NONE}} as the code 
> treats an none subject as {{ANY}}:
> {code:title=}
>     // Construct subject.
>     if (subject_.isSome()) {
>       aclSubject.add_values(subject_->value());
>       aclSubject.set_type(mesos::ACL::Entity::SOME);
>     } else {
>       aclSubject.set_type(mesos::ACL::Entity::ANY);
>     }
> {code}
> If feels more appropriate to use {{ACL::Entity::NONE}} to mean the subject is 
> none but regardless of the choice, we don't seem to need both 
> {{ACL::Entity::NONE}} and {{ACL::Entity::ANY}} for the request?
> If so the matrices in should probably just have two rows and the code can be 
> simplified.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to