Re: Review Request 47921: Enabled authorization for Mesos log access.

Fri, 27 May 2016 11:08:48 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/47921/
-----------------------------------------------------------

(Updated May 27, 2016, 8:07 p.m.)


Review request for mesos, Adam B, Joerg Schad, and Michael Park.


Bugs: MESOS-5153
    https://issues.apache.org/jira/browse/MESOS-5153


Repository: mesos


Description (updated)
-------

Uses the authorization primitives in `mesos::internal::Files` to add
protection of the Mesos logs on both master and agents.


Diffs (updated)
-----

  include/mesos/authorizer/acls.proto b05586ae587edbf9330f1d916340447d157ba80e 
  include/mesos/authorizer/authorizer.proto 
3ff67858a99915e0215f3ffb9966f9ac4a3fba8c 
  src/authorizer/local/authorizer.cpp 7ddb323df09a9b0ea46c6f9543c4af059d184308 
  src/master/master.hpp 1a875c32eddfb6d884e3d0dda7f5716ee53966c3 
  src/master/master.cpp 6442762c9fdfa368d5d9d7cd43b97f5addaf7f17 
  src/slave/slave.hpp f48e4b6bbb87d1b8b03176f68fe8d5ea6c109652 
  src/slave/slave.cpp 9fcf334a69ae96ff8180df50aab571fac99b6fad 

Diff: https://reviews.apache.org/r/47921/diff/


Testing
-------

`make check`

and the script

```bash
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "access_mesos_log" : [
    {
      "principals" : { "values" : ["foo"] },
      "logs" : { "type" : "ANY" }
    }
  ]
}
EOF

./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
                      --authenticate_http \
                      --credentials=file:///tmp/credentials.txt \
                      --acls=file:///tmp/acls.json \
                      --log_dir=/tmp/mesos/logs/master &
./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \
                     --master=127.0.0.1:5050 \
                     --authenticate_http \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json \
                     --log_dir=/tmp/mesos/logs/agent &

# This should yield a 200 OK response
http GET http://127.0.0.1:5051/files/download?path=/slave/log -a foo:bar

# This should yield a 200 OK response
http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a foo:bar


# This shold yield a 403 Forbidden response
http GET http://127.0.0.1:5051/files/download?path=/slave/log -a baz:bar

# This shold yield a 403 Forbidden response
http GET http://127.0.0.1:5050/files/download?path=/master/log/ -a baz:bar
```


Thanks,

Alexander Rojas

Reply via email to