> On April 11, 2017, 12:27 a.m., Vinod Kone wrote: > > src/authorizer/local/authorizer.cpp > > Lines 725 (patched) > > <https://reviews.apache.org/r/58254/diff/2/?file=1686563#file1686563line725> > > > > Is this based on the assumption that claims subjects only come from > > executors and not operators? What guarantees that?
There's one use case this patch would not accommodate: if a custom authenticator is used which sets both `Principal.value` and `Principal.claims`, and the local authorizer is also used. In that case, an operator could authenticate such that this code would not authorize their request correctly. To address this, I could add a check here for `!subject->has_value()`, since only implicit executor authZ can handle subjects without a value, and the default JWT authenticator does not set `Principal.value`. - Greg ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/58254/#review171506 ----------------------------------------------------------- On April 7, 2017, 11:25 p.m., Greg Mann wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/58254/ > ----------------------------------------------------------- > > (Updated April 7, 2017, 11:25 p.m.) > > > Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod > Kone. > > > Bugs: MESOS-7014 > https://issues.apache.org/jira/browse/MESOS-7014 > > > Repository: mesos > > > Description > ------- > > This patch updates the agent handlers for the LAUNCH_, WAIT_, > and KILL_NESTED_CONTAINER calls of the operator API to set the > `container_id` field within the authorization object, > facilitating implicit executor authorization. > > > Diffs > ----- > > include/mesos/authorizer/authorizer.proto > 736f76d552956f2351ffd40fc51d088dff83f8c8 > src/authorizer/local/authorizer.cpp > e241edf4afa48d35dbbbb94d72e8e8690f5bedfc > src/slave/http.cpp b07ce7c73a90ef297d980806ebba9530d86f25ae > > > Diff: https://reviews.apache.org/r/58254/diff/2/ > > > Testing > ------- > > Testing details can be found at the end of this chain. > > > Thanks, > > Greg Mann > >
