[jira] [Updated] (MESOS-5746) Sandbox links are broken in authorized cluster

2016-06-29 Thread Greg Mann (JIRA) 

 [ 
https://issues.apache.org/jira/browse/MESOS-5746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Greg Mann updated MESOS-5746:
-
Attachment: Screen Shot 2016-06-29 at 12.28.49 PM.png

> Sandbox links are broken in authorized cluster
> --
>
> Key: MESOS-5746
> URL: https://issues.apache.org/jira/browse/MESOS-5746
> Project: Mesos
>  Issue Type: Bug
>Affects Versions: 1.0.0
>Reporter: Greg Mann
>  Labels: authorization, mesosphere, security
> Attachments: Screen Shot 2016-06-29 at 12.28.49 PM.png
>
>
> I ran Mesos master with this script:
> {code}
> #! /usr/bin/env bash
> rm -rf /tmp/mesos/*
> cat < /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> cat < /tmp/acls.json
> {
>   "permissive": false,
>   "access_mesos_logs" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "logs" : { "type" : "ANY" }
> }
>   ],
>   "register_frameworks" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "roles" : { "type" : "ANY" }
> }
>   ],
>   "run_tasks" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "users" : { "type" : "ANY" }
> }
>   ],
>   "get_endpoints" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "paths" : { "type" : "ANY" }
> }
>   ],
>   "view_frameworks" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "users" : { "type" : "ANY" }
> }
>   ],
>   "view_tasks" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "users" : { "type" : "ANY" }
> }
>   ],
>   "view_executors" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "users" : { "type" : "ANY" }
> }
>   ],
>   "access_sandboxes" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "users" : { "type" : "ANY" }
> }
>   ],
>   "access_mesos_logs" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "logs" : { "type" : "ANY" }
> }
>   ],
>   "get_quotas" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "roles" : { "type" : "ANY" }
> }
>   ]
> }
> EOF
> export GLOG_v=2
> export MESOS_VERBOSE=1
> ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
>   --authenticate_http \
>   --credentials=file:///tmp/credentials.txt \
>   --acls=file:///tmp/acls.json \
>   --log_dir=/tmp/mesos/logs/master
> {code}
> and ran the agent with this script:
> {code}
> #! /usr/bin/env bash
> cat < /tmp/credentials.txt
> foo bar
> baz bar
> EOF
> cat < /tmp/acls.json
> {
>   "permissive": false,
>   "access_mesos_log" : [
> {
>   "principals" : { "values" : ["foo"] },
>   "logs" : { "type" : "ANY" }
> }
>   ]
> }
> EOF
> export GLOG_v=2
> export MESOS_VERBOSE=1
> ./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \
>  --master=127.0.0.1:5050 \
>  --authenticate_http \
>  --http_credentials=file:///tmp/credentials.txt \
>  --acls=file:///tmp/acls.json \
>  --log_dir=/tmp/mesos/logs/agent
> {code}
> And then ran the long-lived framework with {{src/long-lived-framework 
> --master=127.0.0.1:5050 --principal=foo --secret=bar}}. When attempting to 
> click on "Sandbox" links in the Mesos web UI, I see the error {{Framework 
> with ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-' does not exist on agent 
> with ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-S0'.}} (screenshot attached). 
> Looking at Chrome devtools, I don't see any non-200 return codes in HTTP 
> responses. Each click on "Sandbox" produces a single request to the agent's 
> {{/state}} endpoint, which returns 200 OK.
> I verified that the sandbox links work as expected when authorization is not 
> enabled.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (MESOS-5746) Sandbox links are broken in authorized cluster

2016-06-29 Thread Greg Mann (JIRA) 

 [ 
https://issues.apache.org/jira/browse/MESOS-5746?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Greg Mann updated MESOS-5746:
-
Description: 
I ran Mesos master with this script:
{code}
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat < /tmp/credentials.txt
foo bar
baz bar
EOF

cat < /tmp/acls.json
{
  "permissive": false,
  "access_mesos_logs" : [
{
  "principals" : { "values" : ["foo"] },
  "logs" : { "type" : "ANY" }
}
  ],
  "register_frameworks" : [
{
  "principals" : { "values" : ["foo"] },
  "roles" : { "type" : "ANY" }
}
  ],
  "run_tasks" : [
{
  "principals" : { "values" : ["foo"] },
  "users" : { "type" : "ANY" }
}
  ],
  "get_endpoints" : [
{
  "principals" : { "values" : ["foo"] },
  "paths" : { "type" : "ANY" }
}
  ],
  "view_frameworks" : [
{
  "principals" : { "values" : ["foo"] },
  "users" : { "type" : "ANY" }
}
  ],
  "view_tasks" : [
{
  "principals" : { "values" : ["foo"] },
  "users" : { "type" : "ANY" }
}
  ],
  "view_executors" : [
{
  "principals" : { "values" : ["foo"] },
  "users" : { "type" : "ANY" }
}
  ],
  "access_sandboxes" : [
{
  "principals" : { "values" : ["foo"] },
  "users" : { "type" : "ANY" }
}
  ],
  "access_mesos_logs" : [
{
  "principals" : { "values" : ["foo"] },
  "logs" : { "type" : "ANY" }
}
  ],
  "get_quotas" : [
{
  "principals" : { "values" : ["foo"] },
  "roles" : { "type" : "ANY" }
}
  ]
}
EOF

export GLOG_v=2
export MESOS_VERBOSE=1
./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
  --authenticate_http \
  --credentials=file:///tmp/credentials.txt \
  --acls=file:///tmp/acls.json \
  --log_dir=/tmp/mesos/logs/master
{code}
and ran the agent with this script:
{code}
#! /usr/bin/env bash

cat < /tmp/credentials.txt
foo bar
baz bar
EOF

cat < /tmp/acls.json
{
  "permissive": false,
  "access_mesos_log" : [
{
  "principals" : { "values" : ["foo"] },
  "logs" : { "type" : "ANY" }
}
  ]
}
EOF

export GLOG_v=2
export MESOS_VERBOSE=1
./bin/mesos-slave.sh --work_dir=/tmp/mesos/agent \
 --master=127.0.0.1:5050 \
 --authenticate_http \
 --http_credentials=file:///tmp/credentials.txt \
 --acls=file:///tmp/acls.json \
 --log_dir=/tmp/mesos/logs/agent
{code}

And then ran the long-lived framework with {{src/long-lived-framework 
--master=127.0.0.1:5050 --principal=foo --secret=bar}}. When attempting to 
click on "Sandbox" links in the Mesos web UI, I see the error {{Framework with 
ID 'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-' does not exist on agent with ID 
'd2735ff3-52ac-467a-b8eb-6bd7a119ee32-S0'.}} (screenshot attached). Looking at 
Chrome devtools, I don't see any non-200 return codes in HTTP responses. Each 
click on "Sandbox" produces a single request to the agent's {{/state}} 
endpoint, which returns 200 OK.

I verified that the sandbox links work as expected when authorization is not 
enabled.

  was:
I ran Mesos master with this script:
{code}
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat < /tmp/credentials.txt
foo bar
baz bar
EOF

cat < /tmp/acls.json
{
  "permissive": false,
  "access_mesos_logs" : [
{
  "principals" : { "values" : ["foo"] },
  "logs" : { "type" : "ANY" }
}
  ],
  "register_frameworks" : [
{
  "principals" : { "values" : ["foo"] },
  "roles" : { "type" : "ANY" }
}
  ],
  "run_tasks" : [
{
  "principals" : { "values" : ["foo"] },
  "users" : { "type" : "ANY" }
}
  ],
  "get_endpoints" : [
{
  "principals" : { "values" : ["foo"] },
  "paths" : { "type" : "ANY" }
}
  ],
  "view_frameworks" : [
{
  "principals" : { "values" : ["foo"] },
  "users" : { "type" : "ANY" }
}
  ],
  "view_tasks" : [
{
  "principals" : { "values" : ["foo"] },
  "users" : { "type" : "ANY" }
}
  ],
  "view_executors" : [
{
  "principals" : { "values" : ["foo"] },
  "users" : { "type" : "ANY" }
}
  ],
  "access_sandboxes" : [
{
  "principals" : { "values" : ["foo"] },
  "users" : { "type" : "ANY" }
}
  ],
  "access_mesos_logs" : [
{
  "principals" : { "values" : ["foo"] },
  "logs" : { "type" : "ANY" }
}
  ],
  "get_quotas" : [
{
  "principals" : { "values" : ["foo"] },
  "roles" : { "type" : "ANY" }
}
  ]
}
EOF

export GLOG_v=2
export MESOS_VERBOSE=1
./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
  --authenticate_http \
  --credentials=file:///tmp/credentials.txt \
  --acls=file:///tmp/acls.json \
  --log_dir=/tmp/mesos/logs/master
{code}
and ran the agent with this script:
{code}
#! /usr/bin/env bash

cat <