> On May 27, 2016, 11:43 p.m., Adam B wrote: > > src/master/master.cpp, line 3048 > > <https://reviews.apache.org/r/47891/diff/2/?file=1399810#file1399810line3048> > > > > FrameworkInfo.user is the wrong user to pass in. It should be the user > > calculated by the code you removed above. > > Benjamin Bannier wrote: > I am confused. Before this change we had > > ``` > string user = framework->info.user(); // Default user. > if (task.has_command() && task.command().has_user()) { > user = task.command().user(); > } else if (task.has_executor() && task.executor().command().has_user()) { > user = task.executor().command().user(); > } > ``` > > so we did use `framework->info.user()` if neither `task.command` nor > `task.executor.command` had a user. Now we defer the decision where the user > is taken from completely to the authorizer (that's why we have that logic > e.g., in the local authorizer). > > Why should I want to calculate anything here now? > Why is `framework->info.user()` not a good user anymore?
The reason we keep RUN_TASK_WITH_USER around is so that an old authorizer module can continue to read the same value it expects from the `Object.value` field, which means we need to keep this logic in the master to set the `value` as long as we support RUN_TASK_WITH_USER. - Adam ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/47891/#review135380 ----------------------------------------------------------- On May 30, 2016, 6:42 a.m., Benjamin Bannier wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/47891/ > ----------------------------------------------------------- > > (Updated May 30, 2016, 6:42 a.m.) > > > Review request for mesos, Adam B, Alexander Rojas, Joerg Schad, and Michael > Park. > > > Bugs: MESOS-5459 > https://issues.apache.org/jira/browse/MESOS-5459 > > > Repository: mesos > > > Description > ------- > > Authorization requests for RUN_TASK actions can pass `SOME` > authorization object either in a `FrameworkInfo` holding a user, or a > `TaskInfo` with optionally a `CommandInfo` which can optionally hold a > user. If either of these fields is set it will be used as the object; > otherwise an `ANY` type authorization object will be created. > > `RUN_TASK` aliases `RUN_TASK_WITH_USER` which becomes deprecated with > 0.29. > > > Diffs > ----- > > include/mesos/authorizer/authorizer.proto > 4478bbd3c8f5c1fb862c2c6bd450689d870f7059 > src/authorizer/local/authorizer.cpp > 547bbdd6c3605eadd23d2d2717a3fd362a616de5 > src/master/master.cpp a6f740f7f71c4b54208e923025d32e0473a65f5e > src/tests/authorization_tests.cpp 54bfb46a807677f4a4a2bb88dcb78a358cf5121a > > Diff: https://reviews.apache.org/r/47891/diff/ > > > Testing > ------- > > Tested on a range of Linux configurations on internal CI. > > > Thanks, > > Benjamin Bannier > >
