> On April 20, 2016, 10:35 a.m., Adam B wrote: > > src/slave/http.cpp, lines 658-660 > > <https://reviews.apache.org/r/46203/diff/9/?file=1350392#file1350392line658> > > > > Where did you come up with the magic number 3? What if we reorganize > > the operator endpoints in the (1.0) future? How will we know what the new > > value should be here? > > What if the user setup a reverse proxy (like in dcos) and these > > requests are actually coming from a different base url than expected? > > Benjamin Bannier wrote: > @adam: The three here is needed so that this just strips the agent part > of the path, not everything up to the last `/`. An example endpoint would be > `/slave(1)/monitor/statistics`. > > Jan Schlicht wrote: > Seems like a hard problem to fully support both requirements. Maybe > reverting back to using `std::string` instead of `http::URL` as the function > parameter for `endpoint` could resolve this. > > Benjamin Bannier wrote: > Please use some typed entity that the usual endpoint handlers are aware > of. They currently have a `Request`, but e.g., have no idea how they are > being routed. > > Jan Schlicht wrote: > I'll go back to using the "magic number 3". At this point `URL::path` > will look like this: "/slave(n)/name/of/endpoint". By splitting into 3 > components we get rid of the "/slave(n)/". The path is not the full URL that > has been requested, hence reverse proxies shouldn't be an issue here. I'll > add a comment, explaining this. > > Adam B wrote: > I see. And will this value be the same for the master's endpoints? > Good to hear that reverse proxies won't be affected since it's not a full > URL. > > Jan Schlicht wrote: > This values won't work for the master's endpoint. In that case > `URL::path` will be "/name/of/endpoint" and we wouldn't need to split. > Because we're in `Slave::Http` we can expect that this code is only called > for agents.
So here is my issue wit this, you break it into three, and pass only the second one to the authorizer, but that just sets a bad precedent. There are endpoint that added with more components, e.g. `/api/v1/scheduler`. The right way to solve this is to do something like: ```c++ // … code to handle when `url.path` is empty. std::string path = url.path; std::size_t position = path.find('/', 1); if (position != std::string::npos) { path = path.substr(position); } // Call the authorizer. ``` And we can add code to the authorizer module instead on how to handle objects which encode paths (just like we dispatch to the endpoint handlers). - Alexander ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/46203/#review129696 ----------------------------------------------------------- On April 25, 2016, 2:50 p.m., Jan Schlicht wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/46203/ > ----------------------------------------------------------- > > (Updated April 25, 2016, 2:50 p.m.) > > > Review request for mesos, Adam B, Alexander Rojas, and Benjamin Bannier. > > > Bugs: MESOS-5142 > https://issues.apache.org/jira/browse/MESOS-5142 > > > Repository: mesos > > > Description > ------- > > See summary. > > > Diffs > ----- > > docs/configuration.md 86ba66ac62295ca148524bcb2e57fee560ac4ac5 > include/mesos/authorizer/acls.proto > c50deeb5565dfd5b3e5e7210283d9a36a3bfd579 > include/mesos/authorizer/authorizer.proto > 40d93ea257d1df8d22eee8a21667db90d579a8fe > src/Makefile.am e024c6d65608a55765e527a8668c415723dcfcca > src/authorizer/local/authorizer.cpp > 0a3805fe4ce8eb89e096e8cd4326035513ba892b > src/slave/flags.cpp 10d2974bd2b6e79255fc894979607f0d2d00c315 > src/slave/http.cpp 537736d1fe42e8150bad91326299ef9a17041a8e > src/slave/slave.hpp 20a4bcd0bb9dad06ea81fc4ad9b2fa462c69d2c5 > src/tests/slave_authorization_tests.cpp PRE-CREATION > > Diff: https://reviews.apache.org/r/46203/diff/ > > > Testing > ------- > > make check > > > Thanks, > > Jan Schlicht > >