> On April 20, 2016, 10:35 a.m., Adam B wrote:
> > src/slave/http.cpp, lines 658-660
> > <https://reviews.apache.org/r/46203/diff/9/?file=1350392#file1350392line658>
> >
> > Where did you come up with the magic number 3? What if we reorganize
> > the operator endpoints in the (1.0) future? How will we know what the new
> > value should be here?
> > What if the user setup a reverse proxy (like in dcos) and these
> > requests are actually coming from a different base url than expected?
>
> Benjamin Bannier wrote:
> @adam: The three here is needed so that this just strips the agent part
> of the path, not everything up to the last `/`. An example endpoint would be
> `/slave(1)/monitor/statistics`.
>
> Jan Schlicht wrote:
> Seems like a hard problem to fully support both requirements. Maybe
> reverting back to using `std::string` instead of `http::URL` as the function
> parameter for `endpoint` could resolve this.
>
> Benjamin Bannier wrote:
> Please use some typed entity that the usual endpoint handlers are aware
> of. They currently have a `Request`, but e.g., have no idea how they are
> being routed.
>
> Jan Schlicht wrote:
> I'll go back to using the "magic number 3". At this point `URL::path`
> will look like this: "/slave(n)/name/of/endpoint". By splitting into 3
> components we get rid of the "/slave(n)/". The path is not the full URL that
> has been requested, hence reverse proxies shouldn't be an issue here. I'll
> add a comment, explaining this.
>
> Adam B wrote:
> I see. And will this value be the same for the master's endpoints?
> Good to hear that reverse proxies won't be affected since it's not a full
> URL.
>
> Jan Schlicht wrote:
> This values won't work for the master's endpoint. In that case
> `URL::path` will be "/name/of/endpoint" and we wouldn't need to split.
> Because we're in `Slave::Http` we can expect that this code is only called
> for agents.
So here is my issue wit this, you break it into three, and pass only the second
one to the authorizer, but that just sets a bad precedent. There are endpoint
that added with more components, e.g. `/api/v1/scheduler`. The right way to
solve this is to do something like:
```c++
// … code to handle when `url.path` is empty.
std::string path = url.path;
std::size_t position = path.find('/', 1);
if (position != std::string::npos) {
path = path.substr(position);
}
// Call the authorizer.
```
And we can add code to the authorizer module instead on how to handle objects
which encode paths (just like we dispatch to the endpoint handlers).
- Alexander
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/46203/#review129696
-----------------------------------------------------------
On April 25, 2016, 2:50 p.m., Jan Schlicht wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/46203/
> -----------------------------------------------------------
>
> (Updated April 25, 2016, 2:50 p.m.)
>
>
> Review request for mesos, Adam B, Alexander Rojas, and Benjamin Bannier.
>
>
> Bugs: MESOS-5142
> https://issues.apache.org/jira/browse/MESOS-5142
>
>
> Repository: mesos
>
>
> Description
> -------
>
> See summary.
>
>
> Diffs
> -----
>
> docs/configuration.md 86ba66ac62295ca148524bcb2e57fee560ac4ac5
> include/mesos/authorizer/acls.proto
> c50deeb5565dfd5b3e5e7210283d9a36a3bfd579
> include/mesos/authorizer/authorizer.proto
> 40d93ea257d1df8d22eee8a21667db90d579a8fe
> src/Makefile.am e024c6d65608a55765e527a8668c415723dcfcca
> src/authorizer/local/authorizer.cpp
> 0a3805fe4ce8eb89e096e8cd4326035513ba892b
> src/slave/flags.cpp 10d2974bd2b6e79255fc894979607f0d2d00c315
> src/slave/http.cpp 537736d1fe42e8150bad91326299ef9a17041a8e
> src/slave/slave.hpp 20a4bcd0bb9dad06ea81fc4ad9b2fa462c69d2c5
> src/tests/slave_authorization_tests.cpp PRE-CREATION
>
> Diff: https://reviews.apache.org/r/46203/diff/
>
>
> Testing
> -------
>
> make check
>
>
> Thanks,
>
> Jan Schlicht
>
>
