Re: Review Request 47530: Added authorization to agent's '/containers' endpoint.

Wed, 18 May 2016 13:00:29 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47530/
-----------------------------------------------------------

(Updated May 18, 2016, 8 p.m.)


Review request for mesos, Adam B, Alexander Rukletsov, Greg Mann, Jan Schlicht, 
and Till Toenshoff.


Bugs: MESOS-5317
    https://issues.apache.org/jira/browse/MESOS-5317


Repository: mesos


Description (updated)
-------

Used GET_ENDPOINT_WITH_PATH coarse-grained authz on agent's 
'/containers' endpoint to enable authorization on this endpoint.
Updated docs and testcases as well.


Diffs
-----

  docs/endpoints/slave/containers.md 959f40b9db4de4b6cea456ecf7bcb402f7a94f05 
  src/slave/http.cpp fb48ec61e2fe0c83f80d3b8aa4c2ef5a96b748ae 
  src/slave/slave.hpp 209f071448e3c52d16d3366d564003ee36b1d2e0 
  src/tests/slave_authorization_tests.cpp 
843cf1c631e0a25125ca1c0c0028ad1a920c2c2f 

Diff: https://reviews.apache.org/r/47530/diff/


Testing
-------

## Unit tests.

On ubuntu 16.04:
`sudo GTEST_FILTER="*SlaveEndpointTest*.*" make -j2 check`

## Manual testing.

1. Ran master with:
```
sudo  ./bin/mesos-master.sh --ip=127.0.0.1 --work_dir=/var/lib/mesos
```

2. ACL File: 
```
  {
    "get_endpoints": [
      {
        "principals": { "type": "NONE" },
        "paths": { "values": ["/flags", "/monitor/statistics", "/containers"] }
      }
    ]
  } 
```

3. Ran slave with: 
```
sudo ./bin/mesos-slave.sh --master=127.0.0.1:5050 --ip=0.0.0.0 
--acls=file:///home/abhishek/testAcl
```

4. Ran toy-framework with: 
```
sudo ./no-executor-framework [email protected]:5050 --command="echo 
hello"
```

5. Output while hitting "http://127.0.0.1:5051/slave(1)/containers" - HTTP 
error 403: Forbidden

6. Changed ACL to: 
```
  {
    "get_endpoints": [
      {
        "principals": { "type": "ANY" },
        "paths": { "values": ["/flags", "/monitor/statistics", "/containers"] }
      }
    ]
  }
```

7. Ran slave and framework again.

8. Output:
```
    
[{"container_id":"9b8a6a51-68be-4763-9c7d-b67e85fccb4a","executor_id":"42","executor_name":"Command
 Executor (Task: 42) (Command: sh -c 'echo hello')","framework_id":"52.......
```


Thanks,

Abhishek Dasgupta

Reply via email to