> On May 9, 2016, 11:12 a.m., Alexander Rukletsov wrote:
> > src/master/http.cpp, line 2872
> > <https://reviews.apache.org/r/46784/diff/3/?file=1369724#file1369724line2872>
> >
> >     Why don't we return `MethodNotAllowed` here? Same applies to the agent, 
> > actually : )
> 
> Jan Schlicht wrote:
>     Because `authorizeEndpoint` isn't supposed to create a `http::Response`. 
> Its purpose is to answer the question whether a principal is authorized to do 
> things and it's the caller's responsibility to create a HTTP response from 
> that answer. But to create the answer, the function needs informations that 
> it extracts from the HTTP request. Because these informations may be missing, 
> we need to handle that case here, hence we fail the `Future`.
> 
> Alexander Rukletsov wrote:
>     So now we return "HTTP/1.1 503 Service Unavailable" in this case. Do you 
> think it's right?
>     
>     In retrospect, there was a mistake to move request parsing into this 
> function. You know check that the request is correctly formed in 
> `authorizeEndpoint()`, from where you can't return `Response`. I suggest to 
> split this function in two: one for parsing and another for mapping principal 
> to subject.
> 
> Jan Schlicht wrote:
>     That's a good point! I'd would also aid in factoring out the 
> `authorizeEndpoint` function like you're suggesting above. Will work on that!

Hmm, but there's a reason why we pass an `http::Request` here: The first 
version of `authorizeEndpoint` took an `endpoint` parameter. Because there's no 
type for that or rather endpoints are a part of the string "path", this 
parameter was passed as a `std::string`. That wasn't explicit enough, hence we 
decided to extract the endpoint for the `Request.path` explicitly in this 
function. The best solution would be to have an `Endpoint` type and 
`authorizeEndpoint` uses that one. An `Endpoint` could be constructed from a 
path using the same logic that we currenly apply in the function.


- Jan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/46784/#review132228
-----------------------------------------------------------


On May 3, 2016, 2:42 p.m., Jan Schlicht wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/46784/
> -----------------------------------------------------------
> 
> (Updated May 3, 2016, 2:42 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and Benjamin Bannier.
> 
> 
> Bugs: MESOS-5297
>     https://issues.apache.org/jira/browse/MESOS-5297
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Access to the '/flags' endpoint is authorized using
> the 'GET_ENDPOINT_WITH_PATH' action.
> 
> 
> Diffs
> -----
> 
>   src/master/http.cpp 4985f24b70a00116caa4bd0335ea51e55d878d19 
>   src/master/master.hpp 3e55114ee7866e06513071e86e15608099dae052 
>   src/tests/master_authorization_tests.cpp 
> 804b39a269c09df9f6c0bbdf6f8b53921ac09ce8 
> 
> Diff: https://reviews.apache.org/r/46784/diff/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Reply via email to