Re: Review Request 46115: Added AuthN for HTTP based frameworks.

Thu, 14 Apr 2016 10:10:29 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/46115/#review128914
-----------------------------------------------------------



Looks good! A couple small things below.


src/master/http.cpp (lines 431 - 436)
<https://reviews.apache.org/r/46115/#comment192355>

    What about instead:
    
    `if (principal.isSome() && 
!call.subscribe().framework_info().has_principal())`?



src/master/validation.hpp (line 47)
<https://reviews.apache.org/r/46115/#comment192362>

    Do we really want to have a default value for an argument to a validation 
function? It makes me a bit uneasy; if the caller wants a `Call` message to be 
validated, shouldn't we require them to provide the exact data to validated, 
without making assumptions for them?



src/master/validation.cpp (lines 79 - 81)
<https://reviews.apache.org/r/46115/#comment192358>

    What about: `if (principal.isSome() && frameworkInfo.has_principal() && 
principal != frameworkInfo.principal())`?


- Greg Mann


On April 14, 2016, 3:35 p.m., Anand Mazumdar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/46115/
> -----------------------------------------------------------
> 
> (Updated April 14, 2016, 3:35 p.m.)
> 
> 
> Review request for mesos, Greg Mann and Vinod Kone.
> 
> 
> Bugs: MESOS-3923
>     https://issues.apache.org/jira/browse/MESOS-3923
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This change adds AuthN support for HTTP based frameworks.
> 
> We allow AuthZ without AuthN for `/scheduler` endpoint. Also,
> we ensure that `FrameworkInfo.principal` (if present) equals
> the authenticated principal. We also allow a framework to
> omit specifying the `FrameworkInfo.principal` in case
> it is not interested in authorization or if it is disabled.
> We do log a warning for this cases similar to what driver
> based frameworks already do.
> 
> 
> Diffs
> -----
> 
>   src/master/http.cpp b8a83b58b60416f61610cad16fc6f70028a5ee10 
>   src/master/master.hpp 1f480f03900a0dc2996c2ed3a9534dfa8036940f 
>   src/master/master.cpp 781402c04fded159183e1ca28894e48355200f0c 
>   src/master/validation.hpp d1f2323172cbf3bb052942a119b8531f9ccad48d 
>   src/master/validation.cpp 13423436a4e6361fde6fa75133eebf5c02c8381f 
> 
> Diff: https://reviews.apache.org/r/46115/diff/
> 
> 
> Testing
> -------
> 
> make check. Enabled AuthN for all the tests later in the chain.
> 
> 
> Thanks,
> 
> Anand Mazumdar
> 
>

Reply via email to