[jira] [Issue Comment Deleted] (MESOS-5369) Coarse-grained authorization of endpoints is supported only for short url paths.

Mon, 29 Apr 2019 02:31:21 -0700 


     [ 
https://issues.apache.org/jira/browse/MESOS-5369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gavin updated MESOS-5369:
-------------------------
    Comment: was deleted

(was: www.rtat.net)

> Coarse-grained authorization of endpoints is supported only for short url 
> paths.
> --------------------------------------------------------------------------------
>
>                 Key: MESOS-5369
>                 URL: https://issues.apache.org/jira/browse/MESOS-5369
>             Project: Mesos
>          Issue Type: Bug
>    Affects Versions: 1.0.0
>            Reporter: Alexander Rukletsov
>            Priority: Minor
>              Labels: authorization, integration, mesosphere, security
>
> For coarse-grained authorization actions, e.g., {{GET_ENDPOINT_WITH_PATH}}, 
> we currently pass the short version of the url path, i.e., {{/state}} instead 
> of {{/master/state}}, to the authorizer in some cases. This means that ACLs 
> for local authorizer will not work as expected if absolute paths are used. 
> Moreover, both local and modularized authorizers should be able to understand 
> both short url paths for endpoints that belong to the "major" actor process 
> (e.g., master, agent) and absolute url paths for all other actors (e.g., 
> {{/files/browse}}, {{/metrics/snapshot}}.
> One possible solution is to pass absolute paths to authorizers and let them 
> do the necessary processing, e.g., removing agent id from 
> {{/slave(id)/state}}. This will also require normalizing endpoints from ACLs 
> to absolute path form, similarly as we have done in MESOS-3143. Additionally 
> this solution removes ambiguity which may arise for same endpoints belonging 
> to different actors, e.g., {{/master/flags}} vs. {{/slave/flags}}.
> Here are some code snippets to illustrate the problem and the reasons:
> * 
> https://github.com/apache/mesos/blob/eaf0d3461b3f17c9037490e873f114c2ee1c14d9/src/slave/http.cpp#L824-L833
> * 
> https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/3rdparty/libprocess/src/process.cpp#L2398
> * 
> https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/src/master/main.cpp#L247
> * 
> https://github.com/apache/mesos/blob/0104e7349a0539f38d02a0e7e23b7712ebefc201/3rdparty/libprocess/src/process.cpp#L2875



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to