Review Request 47921: Enabled authorization for Mesos log access.

Thu, 26 May 2016 15:45:37 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47921/
-----------------------------------------------------------

Review request for mesos, Adam B, Joerg Schad, and Michael Park.


Bugs: MESOS-5153
    https://issues.apache.org/jira/browse/MESOS-5153


Repository: mesos


Description
-------

Uses the authorization primitives in `mesos::internal::Files` to add
protection of the Mesos logs on both master and agents.


Diffs
-----

  include/mesos/authorizer/acls.proto ace9b698f46e1437911115c82324a87a0d7827fb 
  include/mesos/authorizer/authorizer.proto 
02d1a01d57cf34b38524f4368187878b03343537 
  src/authorizer/local/authorizer.cpp 3c7c791bde65cfcbcc4e319c9ccc487ab37d8029 
  src/master/master.hpp 1a875c32eddfb6d884e3d0dda7f5716ee53966c3 
  src/master/master.cpp 0005a29caabcc6a3776037cf86a2b12660e6377b 
  src/slave/slave.hpp 0de6a570e8b4699771048295ec3fcedf84593495 
  src/slave/slave.cpp 470b5c82ea6ff01d799b06245609725853300ef1 

Diff: https://reviews.apache.org/r/47921/diff/


Testing
-------

`make check`

and the script

```bash
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "access_mesos_log" : [
    {
      "principals" : { "values" : ["foo"] },
      "logs" : { "type" : "ANY" }
    }
  ]
}
EOF

./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
                      --authenticate_http \
                      --credentials=file:///tmp/credentials.txt \
                      --acls=file:///tmp/acls.json \
                      --log_dir=/tmp/mesos/logs/master &
./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \
                     --master=127.0.0.1:5050 \
                     --authenticate_http \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json \
                     --log_dir=/tmp/mesos/logs/agent &

# This should yield a 200 OK response
http GET http://127.0.0.1:5051/files/download?path=/slave/log -a foo:bar

# This should yield a 200 OK response
http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a foo:bar


# This shold yield a 403 Forbidden response
http GET http://127.0.0.1:5051/files/download?path=/slave/log -a baz:bar

# This shold yield a 403 Forbidden response
http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a baz:bar
```


Thanks,

Alexander Rojas

Reply via email to