[
https://issues.apache.org/jira/browse/MESOS-7339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15979238#comment-15979238
]
Greg Mann commented on MESOS-7339:
----------------------------------
{code}
commit 3f5b2c90c2f6825148662db8e1e88be08f37f3b5
Author: Greg Mann <[email protected]>
Date: Fri Apr 21 10:45:41 2017 -0700
Enabled authorization in default executor check tests.
This patch enables authorization in the check and health check
tests which use the default executor. Simple permissive ACLs are
set, forcing the local authorizer to be loaded which allows us
to test the implicit executor authorization code for agent
operator API calls.
Review: https://reviews.apache.org/r/58458/
{code}
{code}
commit 0124cbfd31116262f533c0dc38bef9a60238bfbd
Author: Greg Mann <[email protected]>
Date: Fri Apr 21 10:45:38 2017 -0700
Added tests for failed executor authorization.
This patch adds new tests to verify that HTTP executors cannot
subscribe or launch nested containers when HTTP executor
authentication is enabled, authorization is enabled, and they
do not provide a valid executor authentication token
Review: https://reviews.apache.org/r/58428/
{code}
{code}
commit 33e2ee09b8ceb53cb1e64eb2dad5802e45130c3e
Author: Greg Mann <[email protected]>
Date: Fri Apr 21 10:45:28 2017 -0700
Added a new agent authorization test which runs a task group.
This patch adds a new test,
`SlaveAuthorizerTest.AuthorizeRunTaskGroup`, which
verifies that task groups can be launched when
executor authentication is required and the local
authorizer is loaded.
Review: https://reviews.apache.org/r/58258/
{code}
{code}
commit ccb102f212d38cd5ad2bb5ce848b8ebe7629b6ba
Author: Greg Mann <[email protected]>
Date: Fri Apr 21 10:45:24 2017 -0700
Added implicit authorization to the agent executor API.
This patch updates the agent handler for the executor API to
verify the FrameworkID and ExecutorID contained within the
executor's `Principal`, if present. This effectively performs
implicit authorization of executor calls.
Review: https://reviews.apache.org/r/58255/
{code}
> Add authorization to agent executor API
> ---------------------------------------
>
> Key: MESOS-7339
> URL: https://issues.apache.org/jira/browse/MESOS-7339
> Project: Mesos
> Issue Type: Task
> Reporter: Greg Mann
> Assignee: Greg Mann
> Labels: authorization, executor, http, mesosphere, security
>
> The agent's {{/executor}} endpoint must be updated to accomplish simple
> implicit authorization of executor actions. This is analogous to the way the
> master's {{/scheduler}} endpoint handler verifies the framework's
> authenticated principal, effectively performing implicit authorization.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
