> On April 8, 2017, 1:30 a.m., Greg Mann wrote: > > For some reason I'm having trouble replying to your previous comment, so > > I'll post a new one :) > > > > I think that it makes sense to have claims in the `authorization::Subject`, > > since this maps directly onto the `Principal` provided by the client. > > However, in the case of the `authorization::Object`, I don't think that the > > agent should dictate the use of particular claims there. For example, a > > custom authorizer might have a different way to determine which > > `ContainerID`s a principal should be able to launch containers within. I > > don't think that we should leak the specific claim keys used by the > > `SecretGenerator` into the `authorization::Object`, since in the future we > > will make the `SecretGenerator` modular and the claims within the executor > > token could be different for a custom generator. Does that make sense?
your anser does make sense to me. - Alexander ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/58253/#review171388 ----------------------------------------------------------- On April 7, 2017, 5:33 a.m., Greg Mann wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/58253/ > ----------------------------------------------------------- > > (Updated April 7, 2017, 5:33 a.m.) > > > Review request for mesos, Adam B, Alexander Rojas, Till Toenshoff, and Vinod > Kone. > > > Bugs: MESOS-7014 > https://issues.apache.org/jira/browse/MESOS-7014 > > > Repository: mesos > > > Description > ------- > > This patch adds a new member, `container_id` to the > `ObjectApprover::Object` to facilitate implicit executor > authorization. > > > Diffs > ----- > > include/mesos/authorizer/authorizer.hpp > 75801ccc753a60ce5e5979b6723fd2294ce7ffe5 > include/mesos/authorizer/authorizer.proto > 736f76d552956f2351ffd40fc51d088dff83f8c8 > src/authorizer/local/authorizer.cpp > e241edf4afa48d35dbbbb94d72e8e8690f5bedfc > > > Diff: https://reviews.apache.org/r/58253/diff/1/ > > > Testing > ------- > > Testing details can be found at the end of this chain. > > > Thanks, > > Greg Mann > >
