> On March 22, 2016, 7:23 p.m., Bill Farner wrote:
> > src/main/python/apache/aurora/executor/common/announcer.py, line 84
> > <https://reviews.apache.org/r/45042/diff/4/?file=1310999#file1310999line84>
> >
> >     I think we should also require that at least one field is specified in 
> > `permissions`.  Seems like the ACL entry would be meaningliess otherwise.
> 
> Kunal Thakar wrote:
>     Done. Will it be an overkill to use something like jsonschema to validate 
> this instead?
> 
> Bill Farner wrote:
>     I'll let you assess that for the time being.  I would not be opposed.  
> You should also consider defining a schema in pystachio, however.

Here's the schema fleshed out in pystachio.  I think this is how you should 
proceed.

```python
from apache.thermos.config.schema import (
    Boolean, 
    Default,
    List,
    Required,
    String,
    Struct
)

class Auth(Struct):
  scheme     = Required(String)
  credential = Required(String)


class Permissions(Struct):
  read    = Default(Boolean, False)
  write   = Default(Boolean, False)
  create  = Default(Boolean, False)
  delete  = Default(Boolean, False)


class Access(Struct):
  scheme      = Required(String)
  credential  = Required(String)
  permissions = Required(Permissions)


class ZkAuth(Struct):
  auth = Default(List(Auth), [])
  acl  = Default(List(Access), [])
```

If you're not familiar with pystachio, i suggest you drop into a repl to get a 
feel for the API:

`./pants -q repl src/main/python/apache/aurora/client`

>From there, you can paste the above classes and try your example schema:
```
>>> example = '''{
...   "auth": [
...     {
...       "scheme": "digest",
...       "credential": "user:pass"
...     }
...   ],
...   "acl": [
...     {
...       "scheme": "digest",
...       "credential": "user:smGaoVKd/cQkjm7b88GyorAUz20=",
...       "permissions": {
...         "read": true,
...         "write": true,
...         "create": true,
...         "delete": true
...       }
...     }
...   ]
... }'''
>>> a = ZkAuth.json_loads(example, strict=True)
>>> print a
ZkAuth(auth=AuthList(Auth(credential=user:pass,
     scheme=digest)),
       acl=AccessList(Access(credential=user:smGaoVKd/cQkjm7b88GyorAUz20=,
       scheme=digest,
       permissions=Permissions(read=True,
            write=True,
            create=True,
            delete=True))))
>>> for auth in a.auth():
...   print auth.credential()
...
user:pass
```


- Bill


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/45042/#review124935
-----------------------------------------------------------


On March 28, 2016, 4:10 p.m., Kunal Thakar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/45042/
> -----------------------------------------------------------
> 
> (Updated March 28, 2016, 4:10 p.m.)
> 
> 
> Review request for Aurora, Bill Farner and Zameer Manji.
> 
> 
> Repository: aurora
> 
> 
> Description
> -------
> 
> Add ACL support for announcer
> https://issues.apache.org/jira/browse/AURORA-1643
> 
> Adding support for service discovery ZK authentication. ZK authentication 
> secrets should be stored in a file as json (as follows):
> (Updated JSON format for config file)
> ```json
> {
>   "auth": [
>     {
>       "scheme": "<scheme>",
>       "credential": "<plain_credential>"
>     }
>   ],
>   "acls": [
>     {
>       "scheme": "<scheme>",
>       "credential": "<encrypted_credential>",
>       "permissions": {
>         "read": <bool>,
>         "write": <bool>,
>         "create": <bool>,
>         "delete": <bool>,
>         "admin": <bool>,
>         "all": <bool>
>       }
>     }
>   ]
> }
> ```
> 
> 
> Diffs
> -----
> 
>   RELEASE-NOTES.md 34f28a165aae4ae24fa95ef19b4972e088fd63a0 
>   docs/operations/security.md 1a3d9b7e7ba4ec1952dc886d5fbeb6b85d994fb9 
>   examples/vagrant/announcer-auth.json PRE-CREATION 
>   examples/vagrant/upstart/aurora-scheduler-announcer-auth.conf PRE-CREATION 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> 6634506108c346f8c23b2da7cc8d20d09d07d590 
>   src/main/python/apache/aurora/executor/common/announcer.py 
> 79a9cfb6ac3a8444f09fb3658e6e859e06941ba4 
>   
> src/test/python/apache/aurora/executor/bin/test_thermos_executor_entry_point.py
>  e9f7851292aef3a36da5da9b0fc333a7e7750cf3 
>   src/test/python/apache/aurora/executor/common/test_announcer.py 
> 142b58d5e577c9f4b8e2ae8473cffdea94eba21f 
>   src/test/sh/org/apache/aurora/e2e/test_announcer_auth_end_to_end.sh 
> PRE-CREATION 
>   src/test/sh/org/apache/aurora/e2e/test_end_to_end.sh 
> e1c12bbd4382c31e576439f6693d82d5661029b9 
>   src/test/sh/org/apache/aurora/e2e/validate_serverset.py 
> fca1137bd2e7b1306a03dc2a54d2ef15b59af6a8 
> 
> Diff: https://reviews.apache.org/r/45042/diff/
> 
> 
> Testing
> -------
> 
> /vagrant/src/test/sh/org/apache/aurora/e2e/test_announcer_auth_end_to_end.sh
> /vagrant/src/test/sh/org/apache/aurora/e2e/test_end_to_end.sh
> 
> 
> Thanks,
> 
> Kunal Thakar
> 
>

Reply via email to