----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47921/#review135180 -----------------------------------------------------------
Fix it, then Ship it! Looks great! Just a couple of nits. Can you update the endpoint help/docs and perhaps authorization.md to reflect the latest changes? include/mesos/authorizer/acls.proto (line 233) <https://reviews.apache.org/r/47921/#comment200199> s/compatibility/consistency/ I wonder if this is really a good idea. Operators will try to fill in different values in the ACL, and the local authorizer will just ignore them. include/mesos/authorizer/acls.proto (line 284) <https://reviews.apache.org/r/47921/#comment200200> s/access_mesos_log/access_mesos_logs/? Although a given --acls flag will only apply to a particular master/agent, if the --acls are mass-distributed via a config-management system, the rule would apply to all the master/agent logs. include/mesos/authorizer/authorizer.proto (line 88) <https://reviews.apache.org/r/47921/#comment200201> Add a blank line and a comment above. "This action will not fill in any object fields, since the object is the master/agent log itself." - Adam B On May 26, 2016, 3:45 p.m., Alexander Rojas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/47921/ > ----------------------------------------------------------- > > (Updated May 26, 2016, 3:45 p.m.) > > > Review request for mesos, Adam B, Joerg Schad, and Michael Park. > > > Bugs: MESOS-5153 > https://issues.apache.org/jira/browse/MESOS-5153 > > > Repository: mesos > > > Description > ------- > > Uses the authorization primitives in `mesos::internal::Files` to add > protection of the Mesos logs on both master and agents. > > > Diffs > ----- > > include/mesos/authorizer/acls.proto > ace9b698f46e1437911115c82324a87a0d7827fb > include/mesos/authorizer/authorizer.proto > 02d1a01d57cf34b38524f4368187878b03343537 > src/authorizer/local/authorizer.cpp > 3c7c791bde65cfcbcc4e319c9ccc487ab37d8029 > src/master/master.hpp 1a875c32eddfb6d884e3d0dda7f5716ee53966c3 > src/master/master.cpp 0005a29caabcc6a3776037cf86a2b12660e6377b > src/slave/slave.hpp 0de6a570e8b4699771048295ec3fcedf84593495 > src/slave/slave.cpp 470b5c82ea6ff01d799b06245609725853300ef1 > > Diff: https://reviews.apache.org/r/47921/diff/ > > > Testing > ------- > > `make check` > > and the script > > ```bash > #! /usr/bin/env bash > > rm -rf /tmp/mesos/* > > cat <<EOF > /tmp/credentials.txt > foo bar > baz bar > EOF > > cat <<EOF > /tmp/acls.json > { > "permissive": false, > "access_mesos_log" : [ > { > "principals" : { "values" : ["foo"] }, > "logs" : { "type" : "ANY" } > } > ] > } > EOF > > ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \ > --authenticate_http \ > --credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json \ > --log_dir=/tmp/mesos/logs/master & > ./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \ > --master=127.0.0.1:5050 \ > --authenticate_http \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json \ > --log_dir=/tmp/mesos/logs/agent & > > # This should yield a 200 OK response > http GET http://127.0.0.1:5051/files/download?path=/slave/log -a foo:bar > > # This should yield a 200 OK response > http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a foo:bar > > > # This shold yield a 403 Forbidden response > http GET http://127.0.0.1:5051/files/download?path=/slave/log -a baz:bar > > # This shold yield a 403 Forbidden response > http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a baz:bar > ``` > > > Thanks, > > Alexander Rojas > >
