This is an automatically generated e-mail. To reply, visit:

Looks great! I think we just need to pass the GET/POST verb into 
`authorizeEndpoint()` and fix the other minor nits, then we'll be ready to 
ship. Or maybe you can convince me that we don't need to add the verb until we 
actually have to authorize a non-GET verb (e.g. for maintenance primitives).

docs/configuration.md (line 900)

    How about you give some real example endpoints, like "/flags" and 
"/monitor/statistics" (the latter shows that longer URLs are allowed)?
    Same in flags.cpp

include/mesos/authorizer/acls.proto (line 150)

    s/access/GET HTTP/

include/mesos/authorizer/acls.proto (line 152)

    Not necessarily an operator.

src/slave/http.cpp (line 360)

    Should this perhaps be a `Shared<>`?

src/slave/http.cpp (line 362)

    This function still assumes GET. Please pass a something like a Verb enum 
as a parameter, or else you'll need an `authorizeGetEndpoint()`, 
`authorizePostEndpoint()`, etc.

src/slave/http.cpp (line 365)

    Why pass the entire Slave down when you only use the flags?

src/slave/http.cpp (lines 797 - 799)

    For my comfort, can you also validate that `pathComponents[0] == ""` and 
`pathComponents[1].startsWith("slave(")` so that it's clearer how this string 
is being split?
    Then we'll fail fast if the format changes, rather than passing incorrect 
substrings to the authorizer.
    Then we can drop the other issue about the magic number '3', since it's 
more clearly documented/explained.

src/slave/http.cpp (line 804)

    s/access/GET/ and shouldn't you be checking the Verb here, for when we have 
to authorize things other than GETs?

src/tests/slave_authorization_tests.cpp (line 61)

    `s/Parameter *parameter/Parameter* parameter/`

src/tests/slave_authorization_tests.cpp (lines 73 - 75)

    I'd rather you wrap the first line at `<` so LocalAuthorizer and 
tests::Module start at the same indentation as AuthorizerTypes.
    I know the other AuthorizerTypes and AllocatorTypes follow the same pattern 
you have here, but they look ugly/jagged too.
    I prefer the look of HttpAuthenticatorTypes in http_authentication_tests.cpp

src/tests/slave_authorization_tests.cpp (lines 90 - 92)


src/tests/slave_authorization_tests.cpp (lines 100 - 102)

    If you wrap after the `=`, you can fit the entire rhs on one line.

src/tests/slave_authorization_tests.cpp (line 144)

    After reading the description of the test, I expected to see ACLs that set 
permissive=false, but adds a rule for GetEndpoint(ANY, "/flags")
    What you're testing is fully permissive ACLs, which is a bit different, and 
probably tested throughout the rest of the existing tests.

- Adam B

On April 25, 2016, 5:50 a.m., Jan Schlicht wrote:
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/46203/
> -----------------------------------------------------------
> (Updated April 25, 2016, 5:50 a.m.)
> Review request for mesos, Adam B, Alexander Rojas, and Benjamin Bannier.
> Bugs: MESOS-5142
>     https://issues.apache.org/jira/browse/MESOS-5142
> Repository: mesos
> Description
> -------
> See summary.
> Diffs
> -----
>   docs/configuration.md 86ba66ac62295ca148524bcb2e57fee560ac4ac5 
>   include/mesos/authorizer/acls.proto 
> c50deeb5565dfd5b3e5e7210283d9a36a3bfd579 
>   include/mesos/authorizer/authorizer.proto 
> 40d93ea257d1df8d22eee8a21667db90d579a8fe 
>   src/Makefile.am e024c6d65608a55765e527a8668c415723dcfcca 
>   src/authorizer/local/authorizer.cpp 
> 0a3805fe4ce8eb89e096e8cd4326035513ba892b 
>   src/slave/flags.cpp 10d2974bd2b6e79255fc894979607f0d2d00c315 
>   src/slave/http.cpp 537736d1fe42e8150bad91326299ef9a17041a8e 
>   src/slave/slave.hpp 20a4bcd0bb9dad06ea81fc4ad9b2fa462c69d2c5 
>   src/tests/slave_authorization_tests.cpp PRE-CREATION 
> Diff: https://reviews.apache.org/r/46203/diff/
> Testing
> -------
> make check
> Thanks,
> Jan Schlicht

Reply via email to