[jira] [Commented] (MESOS-5336) Add authorization to GET /quota

2016-05-13 Thread Alexander Rukletsov (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15282727#comment-15282727
 ] 

Alexander Rukletsov commented on MESOS-5336:


Let's punt on the coarse-grained authz for now.

> Add authorization to GET /quota
> ---
>
> Key: MESOS-5336
> URL: https://issues.apache.org/jira/browse/MESOS-5336
> Project: Mesos
>  Issue Type: Improvement
>  Components: master, security
>Reporter: Adam B
>  Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> We already authorize which http users can set/remove quota for particular 
> roles, but even knowing of the existence of these roles (let alone their 
> quotas) may be sensitive information. We should add authz around GET 
> operations on /quota.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5336) Add authorization to GET /quota

2016-05-11 Thread Zhitao Li (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15281073#comment-15281073
 ] 

Zhitao Li commented on MESOS-5336:
--

[~adam-mesos], I'll leave this decision reconcile with you and [~alexr]. I'm 
fine with both way, just let me know whether you decide to keep 
GET_ENDPOINT_WITH_PATH or not.

The patch below is built on top of GET_ENDPOINT_WITH_PATH but I can rebase to 
drop that one if we decide to go otherwise.

> Add authorization to GET /quota
> ---
>
> Key: MESOS-5336
> URL: https://issues.apache.org/jira/browse/MESOS-5336
> Project: Mesos
>  Issue Type: Improvement
>  Components: master, security
>Reporter: Adam B
>  Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> We already authorize which http users can set/remove quota for particular 
> roles, but even knowing of the existence of these roles (let alone their 
> quotas) may be sensitive information. We should add authz around GET 
> operations on /quota.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5336) Add authorization to GET /quota

2016-05-11 Thread Zhitao Li (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15281071#comment-15281071
 ] 

Zhitao Li commented on MESOS-5336:
--

https://reviews.apache.org/r/47274/

> Add authorization to GET /quota
> ---
>
> Key: MESOS-5336
> URL: https://issues.apache.org/jira/browse/MESOS-5336
> Project: Mesos
>  Issue Type: Improvement
>  Components: master, security
>Reporter: Adam B
>  Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> We already authorize which http users can set/remove quota for particular 
> roles, but even knowing of the existence of these roles (let alone their 
> quotas) may be sensitive information. We should add authz around GET 
> operations on /quota.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5336) Add authorization to GET /quota

2016-05-11 Thread Adam B (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15281009#comment-15281009
 ] 

Adam B commented on MESOS-5336:
---

I think GET_QUOTA_WITH_ROLE should be sufficient, and
GET_ENDPOINT_WITH_PATH can be emulated with GET_QUOTA_WITH_ROLE, ANY




> Add authorization to GET /quota
> ---
>
> Key: MESOS-5336
> URL: https://issues.apache.org/jira/browse/MESOS-5336
> Project: Mesos
>  Issue Type: Improvement
>  Components: master, security
>Reporter: Adam B
>  Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> We already authorize which http users can set/remove quota for particular 
> roles, but even knowing of the existence of these roles (let alone their 
> quotas) may be sensitive information. We should add authz around GET 
> operations on /quota.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5336) Add authorization to GET /quota

2016-05-11 Thread Zhitao Li (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15280485#comment-15280485
 ] 

Zhitao Li commented on MESOS-5336:
--

I think I can come up with an implementation for {{GET_QUOTA_WITH_ROLE}} using 
{{stout::collect}} on a list of futures.

Question: if we have {{GET_QUOTA_WITH_ROLE}}, do you think we still want to 
guard {{/quota}} endpoint with {{GET_ENDPOINT_WITH_PATH}}? The closest 
alternative would be an ACL of {{ANY}} or {{NONE}} role, but it probably would 
return empty map rather than {{Forbidden}}.

I have no strong opinion here. I'll try a diff on top my previous review while 
wait for your answer.

> Add authorization to GET /quota
> ---
>
> Key: MESOS-5336
> URL: https://issues.apache.org/jira/browse/MESOS-5336
> Project: Mesos
>  Issue Type: Improvement
>  Components: master, security
>Reporter: Adam B
>  Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> We already authorize which http users can set/remove quota for particular 
> roles, but even knowing of the existence of these roles (let alone their 
> quotas) may be sensitive information. We should add authz around GET 
> operations on /quota.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5336) Add authorization to GET /quota

2016-05-11 Thread Alexander Rukletsov (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15279881#comment-15279881
 ] 

Alexander Rukletsov commented on MESOS-5336:


Currently we have {{SET_QUOTA_WITH_ROLE}} and {{DESTROY_QUOTA_WITH_PRINCIPAL}} 
authz actions, which will be eventually subsumed by a single 
{{UPDATE_QUOTA_WITH_ROLE}} for all {{POST}}, {{PUT}}, and {{DELETE}}. These are 
fine-grained authz actions.

We can additionally implement coarse-grained authz actions: 
{{GET_ENDPOINT_WITH_PATH}}, {{POST_ENDPOINT_WITH_PATH}} and so on for 
{{/quota}}. I can see benefits of having both coarse- and fine- grained authz 
actions, but maybe we don't need to implement them now.

For now, let's either do {{GET_ENDPOINT_WITH_PATH}} or {{GET_QUOTA_WITH_ROLE}}. 
The former does not allow fine-grained filtering, while the latter is harder to 
implement since we have to filter quotas based on authorizer's response.

I see you have opted for {{GET_ENDPOINT_WITH_PATH}}. Do you think we can 
implement the latter fast enough? For now, we'll have to query authorizer for 
each role, but in the future we should be able to send a BatchRequest.

> Add authorization to GET /quota
> ---
>
> Key: MESOS-5336
> URL: https://issues.apache.org/jira/browse/MESOS-5336
> Project: Mesos
>  Issue Type: Improvement
>  Components: master, security
>Reporter: Adam B
>  Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> We already authorize which http users can set/remove quota for particular 
> roles, but even knowing of the existence of these roles (let alone their 
> quotas) may be sensitive information. We should add authz around GET 
> operations on /quota.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)