----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/49313/ -----------------------------------------------------------
(Updated June 30, 2016, 7:41 p.m.) Review request for mesos, Adam B, Joerg Schad, Till Toenshoff, and Vinod Kone. Bugs: MESOS-5705 https://issues.apache.org/jira/browse/MESOS-5705 Repository: mesos Description (updated) ------- Adds again authorization for flags. Instead of being part of `get_endpoints` it uses its own action `VIEW_TASKS` which is used to restrict access to the `/flags` endpoint, as well as to filter the results of the `/state` endpoint on both master and agents. Diffs (updated) ----- include/mesos/authorizer/acls.proto a6d93cd2cb9161a98565b22e50b06aac4931a671 include/mesos/authorizer/authorizer.proto fc76796022a6fa3d36a1447c476980868d42c2d0 src/authorizer/local/authorizer.cpp 3fade4168face1cb80b30c9b69b31d9eb4126222 src/common/http.hpp 55bd0ac81af80c656a4a80766a3e4b21db9cf0cf src/common/http.cpp daf5672287bb6633f468c88632a561f5a01590df src/master/http.cpp e5acdb8e0bbcd7a2b7e8a8bc7f4bbeaae2c4fea1 src/slave/http.cpp 44d8cc98c0c1ada9d5313a3fe5c66029c9c373c6 src/tests/authorization_tests.cpp 9b99da138fa27a725738d70bd99e889b108b44ae src/tests/master_authorization_tests.cpp 207dfb293ea9b70f439b3b391c3feeba7da10c6a src/tests/slave_authorization_tests.cpp 78221e200d9b7880cc474f1acef92c5dec1c8e25 Diff: https://reviews.apache.org/r/49313/diff/ Testing ------- - `make check` - manual tests with browsers. - Used the script: ```sh #! /usr/bin/env bash rm -rf /tmp/mesos/* cat <<EOF > /tmp/credentials.txt foo bar baz bar EOF cat <<EOF > /tmp/acls.json { "permissive": false, "view_flags" : [ { "principals" : { "values" : ["foo"] }, "flags" : { "type" : "ANY" } }, { "principals" : { "values" : ["foo"] }, "flags" : { "type" : "NONE" } } ] } EOF ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \ --authenticate_http \ --log_dir=/tmp/mesos/logs/master \ --http_credentials=file:///tmp/credentials.txt \ --acls=file:///tmp/acls.json & ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \ --master=127.0.0.1:5050 \ --authenticate_http \ --http_credentials=file:///tmp/credentials.txt \ --acls=file:///tmp/acls.json & # Returns a 200 OK Response with the contents of the flags # in JSON object http GET http://127.0.0.1:5050/flags -a foo:bar http GET http://127.0.0.1:5051/flags -a foo:bar # Returned JSON contains a `flags` entry with all the flags. http GET http://127.0.0.1:5050/state -a foo:bar http GET http://127.0.0.1:5051/state -a foo:bar # 403 Forbidden response http GET http://127.0.0.1:5050/flags -a baz:bar http GET http://127.0.0.1:5051/flags -a baz:bar # Returned JSON doesn't include flags information. http GET http://127.0.0.1:5050/state -a baz:bar http GET http://127.0.0.1:5051/state -a baz:bar ``` Thanks, Alexander Rojas