[
https://issues.apache.org/jira/browse/MESOS-7014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15979236#comment-15979236
]
Greg Mann commented on MESOS-7014:
----------------------------------
{code}
commit ecab5ff3f8c6d50dd6551f552eeb381f49eb3949
Author: Greg Mann <[email protected]>
Date: Fri Apr 21 10:45:19 2017 -0700
Added implicit executor authorization to the agent operator API.
This patch updates the agent handlers for the LAUNCH_, WAIT_,
and KILL_NESTED_CONTAINER calls of the operator API to set the
`container_id` field within the authorization object,
facilitating implicit executor authorization.
Review: https://reviews.apache.org/r/58254/
{code}
{code}
commit c401190086e1a419280c49833663aaf740ce6104
Author: Greg Mann <[email protected]>
Date: Fri Apr 21 10:45:16 2017 -0700
Added a ContainerID to 'ObjectApprover::Object'.
This patch adds a new member, `container_id` to the
`ObjectApprover::Object` to facilitate implicit executor
authorization.
Review: https://reviews.apache.org/r/58253/
{code}
{code}
commit 02c2d6ff5ca6cd64f33693ab52b7dfed899143d9
Author: Greg Mann <[email protected]>
Date: Fri Apr 21 10:45:13 2017 -0700
Allowed the local authorizer to accept subjects with no value.
This patch updates checks in the local authorizer to allow subjects
which specify `claims` instead of a `value`.
Review: https://reviews.apache.org/r/58252/
{code}
{code}
commit 6d06388039f060dd091f543c0f83a2a205b39ae7
Author: Greg Mann <[email protected]>
Date: Fri Apr 21 10:45:09 2017 -0700
Changed 'Principal.claims' to a hashmap.
This patch changes the `claims` member of the authentication
`Principal` struct from a `std::map` to a `hashmap`, so that
we can make use of the `contains()` helper during authorization.
Review: https://reviews.apache.org/r/58251/
{code}
> Add implicit executor authorization to local authorizer
> -------------------------------------------------------
>
> Key: MESOS-7014
> URL: https://issues.apache.org/jira/browse/MESOS-7014
> Project: Mesos
> Issue Type: Task
> Components: security
> Reporter: Greg Mann
> Assignee: Greg Mann
> Labels: authorization, executor, mesosphere, security
> Fix For: 1.3.0
>
>
> The local authorizer should be updated to perform implicit authorization of
> executor actions. When executors authenticate using a default executor
> secret, the authorizer will receive an authorization {{Subject}} which
> contains claims, but no principal. In this case, implicit authorization
> should be performed. Implicit authorization rules should enforce that an
> executor can perform actions on itself; i.e., subscribe as itself, send
> messages as itself, launch nested containers within itself.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
