Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-26 Thread Neil Conway 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/#review120916
---


Ship it!




Ship It!

- Neil Conway


On Feb. 26, 2016, 6:52 p.m., Greg Mann wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43776/
> ---
> 
> (Updated Feb. 26, 2016, 6:52 p.m.)
> 
> 
> Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.
> 
> 
> Bugs: MESOS-4591
> https://issues.apache.org/jira/browse/MESOS-4591
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Changed object of the `ReserveResources` ACL to `roles`.
> 
> This solves a problem in which any principal could reserve resources for any 
> role using the '/reserve' operator endpoint. A new test, 
> `ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.
> 
> 
> Diffs
> -
> 
>   include/mesos/authorizer/authorizer.proto 
> 226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
>   src/authorizer/local/authorizer.cpp 
> 9557bbdf68ff182c4538bbf70cee576d717abc05 
>   src/master/master.cpp 8d6d3c6468c6b85fe09c33cf9747cc3d1f515ab9 
>   src/master/validation.cpp b0cc7f7ec75b66246686d1b50a61902f1455e8b6 
>   src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
>   src/tests/master_validation_tests.cpp 
> ab2df22f73052f6bd77653e56e7b460b17e7b0be 
>   src/tests/reservation_endpoints_tests.cpp 
> 32b2af4115211b58a5127a14dd19152c2eca120c 
>   src/tests/reservation_tests.cpp b8878d51767ac0d95e346c44c0a4d5c060e565ef 
> 
> Diff: https://reviews.apache.org/r/43776/diff/
> 
> 
> Testing
> ---
> 
> Tests were altered to accomodate the new ACL object, and the test 
> `ReserveOperationValidationTest.DisallowReserveForStarRole` was added.
> 
> Ran `configure && make check` and `configure --enable-libevent --enable-ssl 
> && make check` on OSX; all tests passed.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-26 Thread Greg Mann 


> On Feb. 26, 2016, 5:26 p.m., Jie Yu wrote:
> > src/master/master.cpp, line 2863
> > 
> >
> > You can use '!roles.contains' here.

Awesome, thanks!


- Greg


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/#review120888
---


On Feb. 26, 2016, 6:52 p.m., Greg Mann wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43776/
> ---
> 
> (Updated Feb. 26, 2016, 6:52 p.m.)
> 
> 
> Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.
> 
> 
> Bugs: MESOS-4591
> https://issues.apache.org/jira/browse/MESOS-4591
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Changed object of the `ReserveResources` ACL to `roles`.
> 
> This solves a problem in which any principal could reserve resources for any 
> role using the '/reserve' operator endpoint. A new test, 
> `ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.
> 
> 
> Diffs
> -
> 
>   include/mesos/authorizer/authorizer.proto 
> 226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
>   src/authorizer/local/authorizer.cpp 
> 9557bbdf68ff182c4538bbf70cee576d717abc05 
>   src/master/master.cpp 8d6d3c6468c6b85fe09c33cf9747cc3d1f515ab9 
>   src/master/validation.cpp b0cc7f7ec75b66246686d1b50a61902f1455e8b6 
>   src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
>   src/tests/master_validation_tests.cpp 
> ab2df22f73052f6bd77653e56e7b460b17e7b0be 
>   src/tests/reservation_endpoints_tests.cpp 
> 32b2af4115211b58a5127a14dd19152c2eca120c 
>   src/tests/reservation_tests.cpp b8878d51767ac0d95e346c44c0a4d5c060e565ef 
> 
> Diff: https://reviews.apache.org/r/43776/diff/
> 
> 
> Testing
> ---
> 
> Tests were altered to accomodate the new ACL object, and the test 
> `ReserveOperationValidationTest.DisallowReserveForStarRole` was added.
> 
> Ran `configure && make check` and `configure --enable-libevent --enable-ssl 
> && make check` on OSX; all tests passed.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-26 Thread Greg Mann 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/
---

(Updated Feb. 26, 2016, 6:52 p.m.)


Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.


Changes
---

Made use of hashset::contains.


Bugs: MESOS-4591
https://issues.apache.org/jira/browse/MESOS-4591


Repository: mesos


Description
---

Changed object of the `ReserveResources` ACL to `roles`.

This solves a problem in which any principal could reserve resources for any 
role using the '/reserve' operator endpoint. A new test, 
`ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.


Diffs (updated)
-

  include/mesos/authorizer/authorizer.proto 
226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
  src/authorizer/local/authorizer.cpp 9557bbdf68ff182c4538bbf70cee576d717abc05 
  src/master/master.cpp 8d6d3c6468c6b85fe09c33cf9747cc3d1f515ab9 
  src/master/validation.cpp b0cc7f7ec75b66246686d1b50a61902f1455e8b6 
  src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
  src/tests/master_validation_tests.cpp 
ab2df22f73052f6bd77653e56e7b460b17e7b0be 
  src/tests/reservation_endpoints_tests.cpp 
32b2af4115211b58a5127a14dd19152c2eca120c 
  src/tests/reservation_tests.cpp b8878d51767ac0d95e346c44c0a4d5c060e565ef 

Diff: https://reviews.apache.org/r/43776/diff/


Testing
---

Tests were altered to accomodate the new ACL object, and the test 
`ReserveOperationValidationTest.DisallowReserveForStarRole` was added.

Ran `configure && make check` and `configure --enable-libevent --enable-ssl && 
make check` on OSX; all tests passed.


Thanks,

Greg Mann

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-26 Thread Jie Yu 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/#review120888
---


Fix it, then Ship it!





include/mesos/authorizer/authorizer.proto (line 88)


Can you callout this change in upgrads.md? I think it's binary compatible, 
but now source compatible.



src/master/master.cpp (line 2863)


You can use '!roles.contains' here.


- Jie Yu


On Feb. 26, 2016, 4:53 p.m., Greg Mann wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43776/
> ---
> 
> (Updated Feb. 26, 2016, 4:53 p.m.)
> 
> 
> Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.
> 
> 
> Bugs: MESOS-4591
> https://issues.apache.org/jira/browse/MESOS-4591
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Changed object of the `ReserveResources` ACL to `roles`.
> 
> This solves a problem in which any principal could reserve resources for any 
> role using the '/reserve' operator endpoint. A new test, 
> `ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.
> 
> 
> Diffs
> -
> 
>   include/mesos/authorizer/authorizer.proto 
> 226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
>   src/authorizer/local/authorizer.cpp 
> 9557bbdf68ff182c4538bbf70cee576d717abc05 
>   src/master/master.cpp 8d6d3c6468c6b85fe09c33cf9747cc3d1f515ab9 
>   src/master/validation.cpp b0cc7f7ec75b66246686d1b50a61902f1455e8b6 
>   src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
>   src/tests/master_validation_tests.cpp 
> ab2df22f73052f6bd77653e56e7b460b17e7b0be 
>   src/tests/reservation_endpoints_tests.cpp 
> 32b2af4115211b58a5127a14dd19152c2eca120c 
>   src/tests/reservation_tests.cpp b8878d51767ac0d95e346c44c0a4d5c060e565ef 
> 
> Diff: https://reviews.apache.org/r/43776/diff/
> 
> 
> Testing
> ---
> 
> Tests were altered to accomodate the new ACL object, and the test 
> `ReserveOperationValidationTest.DisallowReserveForStarRole` was added.
> 
> Ran `configure && make check` and `configure --enable-libevent --enable-ssl 
> && make check` on OSX; all tests passed.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-26 Thread Greg Mann 


> On Feb. 26, 2016, 5:44 a.m., Neil Conway wrote:
> > src/master/master.cpp, line 2859
> > 
> >
> > Is there a reason to prefer `std::set` over `hashset`? I would 
> > typically use `hashset` unless we care about ordered iteration.

Good call, thanks!


- Greg


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/#review120826
---


On Feb. 26, 2016, 4:53 p.m., Greg Mann wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43776/
> ---
> 
> (Updated Feb. 26, 2016, 4:53 p.m.)
> 
> 
> Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.
> 
> 
> Bugs: MESOS-4591
> https://issues.apache.org/jira/browse/MESOS-4591
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Changed object of the `ReserveResources` ACL to `roles`.
> 
> This solves a problem in which any principal could reserve resources for any 
> role using the '/reserve' operator endpoint. A new test, 
> `ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.
> 
> 
> Diffs
> -
> 
>   include/mesos/authorizer/authorizer.proto 
> 226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
>   src/authorizer/local/authorizer.cpp 
> 9557bbdf68ff182c4538bbf70cee576d717abc05 
>   src/master/master.cpp 8d6d3c6468c6b85fe09c33cf9747cc3d1f515ab9 
>   src/master/validation.cpp b0cc7f7ec75b66246686d1b50a61902f1455e8b6 
>   src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
>   src/tests/master_validation_tests.cpp 
> ab2df22f73052f6bd77653e56e7b460b17e7b0be 
>   src/tests/reservation_endpoints_tests.cpp 
> 32b2af4115211b58a5127a14dd19152c2eca120c 
>   src/tests/reservation_tests.cpp b8878d51767ac0d95e346c44c0a4d5c060e565ef 
> 
> Diff: https://reviews.apache.org/r/43776/diff/
> 
> 
> Testing
> ---
> 
> Tests were altered to accomodate the new ACL object, and the test 
> `ReserveOperationValidationTest.DisallowReserveForStarRole` was added.
> 
> Ran `configure && make check` and `configure --enable-libevent --enable-ssl 
> && make check` on OSX; all tests passed.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-26 Thread Greg Mann 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/
---

(Updated Feb. 26, 2016, 4:53 p.m.)


Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.


Changes
---

Addressed comments.


Bugs: MESOS-4591
https://issues.apache.org/jira/browse/MESOS-4591


Repository: mesos


Description
---

Changed object of the `ReserveResources` ACL to `roles`.

This solves a problem in which any principal could reserve resources for any 
role using the '/reserve' operator endpoint. A new test, 
`ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.


Diffs (updated)
-

  include/mesos/authorizer/authorizer.proto 
226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
  src/authorizer/local/authorizer.cpp 9557bbdf68ff182c4538bbf70cee576d717abc05 
  src/master/master.cpp 8d6d3c6468c6b85fe09c33cf9747cc3d1f515ab9 
  src/master/validation.cpp b0cc7f7ec75b66246686d1b50a61902f1455e8b6 
  src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
  src/tests/master_validation_tests.cpp 
ab2df22f73052f6bd77653e56e7b460b17e7b0be 
  src/tests/reservation_endpoints_tests.cpp 
32b2af4115211b58a5127a14dd19152c2eca120c 
  src/tests/reservation_tests.cpp b8878d51767ac0d95e346c44c0a4d5c060e565ef 

Diff: https://reviews.apache.org/r/43776/diff/


Testing
---

Tests were altered to accomodate the new ACL object, and the test 
`ReserveOperationValidationTest.DisallowReserveForStarRole` was added.

Ran `configure && make check` and `configure --enable-libevent --enable-ssl && 
make check` on OSX; all tests passed.


Thanks,

Greg Mann

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-25 Thread Neil Conway 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/#review120826
---




src/master/master.cpp (line 2857)


I might add a note here to remind the reader that authorization only 
succeeds if the principal is allowed to make reservations for the roles 
included in the resources.



src/master/master.cpp (line 2858)


"an element"



src/master/master.cpp (line 2859)


Is there a reason to prefer `std::set` over `hashset`? I would typically 
use `hashset` unless we care about ordered iteration.



src/tests/master_validation_tests.cpp (line 236)


I'd rephrase this comment slightly: "even if the `role`". i.e., as written, 
it seems to imply that resource-role != framework-role is sufficient for the 
request to validate successfully.


- Neil Conway


On Feb. 24, 2016, 6:39 p.m., Greg Mann wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43776/
> ---
> 
> (Updated Feb. 24, 2016, 6:39 p.m.)
> 
> 
> Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.
> 
> 
> Bugs: MESOS-4591
> https://issues.apache.org/jira/browse/MESOS-4591
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Changed object of the `ReserveResources` ACL to `roles`.
> 
> This solves a problem in which any principal could reserve resources for any 
> role using the '/reserve' operator endpoint. A new test, 
> `ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.
> 
> 
> Diffs
> -
> 
>   include/mesos/authorizer/authorizer.proto 
> 226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
>   src/authorizer/local/authorizer.cpp 
> 9557bbdf68ff182c4538bbf70cee576d717abc05 
>   src/master/master.cpp 8d6d3c6468c6b85fe09c33cf9747cc3d1f515ab9 
>   src/master/validation.cpp b0cc7f7ec75b66246686d1b50a61902f1455e8b6 
>   src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
>   src/tests/master_validation_tests.cpp 
> ab2df22f73052f6bd77653e56e7b460b17e7b0be 
>   src/tests/reservation_endpoints_tests.cpp 
> 32b2af4115211b58a5127a14dd19152c2eca120c 
>   src/tests/reservation_tests.cpp b8878d51767ac0d95e346c44c0a4d5c060e565ef 
> 
> Diff: https://reviews.apache.org/r/43776/diff/
> 
> 
> Testing
> ---
> 
> Tests were altered to accomodate the new ACL object, and the test 
> `ReserveOperationValidationTest.DisallowReserveForStarRole` was added.
> 
> Ran `configure && make check` and `configure --enable-libevent --enable-ssl 
> && make check` on OSX; all tests passed.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-24 Thread Greg Mann 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/
---

(Updated Feb. 24, 2016, 6:39 p.m.)


Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.


Changes
---

Rebase, small changes to comments in tests.


Bugs: MESOS-4591
https://issues.apache.org/jira/browse/MESOS-4591


Repository: mesos


Description
---

Changed object of the `ReserveResources` ACL to `roles`.

This solves a problem in which any principal could reserve resources for any 
role using the '/reserve' operator endpoint. A new test, 
`ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.


Diffs (updated)
-

  include/mesos/authorizer/authorizer.proto 
226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
  src/authorizer/local/authorizer.cpp 9557bbdf68ff182c4538bbf70cee576d717abc05 
  src/master/master.cpp 8d6d3c6468c6b85fe09c33cf9747cc3d1f515ab9 
  src/master/validation.cpp b0cc7f7ec75b66246686d1b50a61902f1455e8b6 
  src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
  src/tests/master_validation_tests.cpp 
ab2df22f73052f6bd77653e56e7b460b17e7b0be 
  src/tests/reservation_endpoints_tests.cpp 
32b2af4115211b58a5127a14dd19152c2eca120c 
  src/tests/reservation_tests.cpp b8878d51767ac0d95e346c44c0a4d5c060e565ef 

Diff: https://reviews.apache.org/r/43776/diff/


Testing
---

Tests were altered to accomodate the new ACL object, and the test 
`ReserveOperationValidationTest.DisallowReserveForStarRole` was added.

Ran `configure && make check` and `configure --enable-libevent --enable-ssl && 
make check` on OSX; all tests passed.


Thanks,

Greg Mann

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-22 Thread Greg Mann 


> On Feb. 20, 2016, 8:19 a.m., Guangya Liu wrote:
> > src/tests/master_validation_tests.cpp, lines 238-240
> > 
> >
> > I think that we need to clarify that the `role` checking except "*" 
> > will be checked in `authorize`, the validation will not check roles except 
> > "*" now.
> > 
> > Otherwise, someone might confused that why a framework with `roleA` can 
> > reserve resoures for `roleB`?

Actually, after looking at this test again, it is no longer necessary once the 
`role` parameter is removed from this validation function. With that parameter 
gone, this test does nothing at all :-)

I updated the subsequent patch, https://reviews.apache.org/r/43777/, to remove 
this test.


- Greg


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/#review120028
---


On Feb. 22, 2016, 7:47 p.m., Greg Mann wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43776/
> ---
> 
> (Updated Feb. 22, 2016, 7:47 p.m.)
> 
> 
> Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.
> 
> 
> Bugs: MESOS-4591
> https://issues.apache.org/jira/browse/MESOS-4591
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Changed object of the `ReserveResources` ACL to `roles`.
> 
> This solves a problem in which any principal could reserve resources for any 
> role using the '/reserve' operator endpoint. A new test, 
> `ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.
> 
> 
> Diffs
> -
> 
>   include/mesos/authorizer/authorizer.proto 
> 226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
>   src/authorizer/local/authorizer.cpp 
> 9557bbdf68ff182c4538bbf70cee576d717abc05 
>   src/master/master.cpp b453bc7fca05c192df616b7d80132985b3248547 
>   src/master/validation.cpp 66898e914c7b4ab83c4580be67530f355cfb05ca 
>   src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
>   src/tests/master_validation_tests.cpp 
> 6fae01fa1833ae05ec82618a4ae28ac5bd275bd5 
>   src/tests/reservation_endpoints_tests.cpp 
> afe81b1d38a1b3a82583720f26482ddcde8f5e85 
>   src/tests/reservation_tests.cpp d2ef15934556cb879f31850d52712aec77231fc7 
> 
> Diff: https://reviews.apache.org/r/43776/diff/
> 
> 
> Testing
> ---
> 
> Tests were altered to accomodate the new ACL object, and the test 
> `ReserveOperationValidationTest.DisallowReserveForStarRole` was added.
> 
> Ran `configure && make check` and `configure --enable-libevent --enable-ssl 
> && make check` on OSX; all tests passed.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-22 Thread Greg Mann 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/
---

(Updated Feb. 22, 2016, 7:47 p.m.)


Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.


Changes
---

Addressed comments.


Bugs: MESOS-4591
https://issues.apache.org/jira/browse/MESOS-4591


Repository: mesos


Description
---

Changed object of the `ReserveResources` ACL to `roles`.

This solves a problem in which any principal could reserve resources for any 
role using the '/reserve' operator endpoint. A new test, 
`ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.


Diffs (updated)
-

  include/mesos/authorizer/authorizer.proto 
226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
  src/authorizer/local/authorizer.cpp 9557bbdf68ff182c4538bbf70cee576d717abc05 
  src/master/master.cpp b453bc7fca05c192df616b7d80132985b3248547 
  src/master/validation.cpp 66898e914c7b4ab83c4580be67530f355cfb05ca 
  src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
  src/tests/master_validation_tests.cpp 
6fae01fa1833ae05ec82618a4ae28ac5bd275bd5 
  src/tests/reservation_endpoints_tests.cpp 
afe81b1d38a1b3a82583720f26482ddcde8f5e85 
  src/tests/reservation_tests.cpp d2ef15934556cb879f31850d52712aec77231fc7 

Diff: https://reviews.apache.org/r/43776/diff/


Testing
---

Tests were altered to accomodate the new ACL object, and the test 
`ReserveOperationValidationTest.DisallowReserveForStarRole` was added.

Ran `configure && make check` and `configure --enable-libevent --enable-ssl && 
make check` on OSX; all tests passed.


Thanks,

Greg Mann

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-20 Thread Guangya Liu 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/#review120028
---




include/mesos/authorizer/authorizer.proto (line 87)


s/may/can?

Or else 

// Objects: The principal(s) can reserve resources for these roles.

I prefer the latter one which might be more clear and also consistent with 
the comments for `CreateVolume`.



src/tests/authorization_tests.cpp (line 419)


s/can reserve/can only reserve resources



src/tests/authorization_tests.cpp (line 424)


Why adding `and principal "baz" will not be allowed to reserve for roles 
other than "ads".` here?

I think that updating the comments for `acl2` to `Principal "baz" can only 
reserve resources for the "ads" role.`



src/tests/authorization_tests.cpp (line 452)


s/reserve/reserve resources



src/tests/master_validation_tests.cpp (lines 236 - 238)


I think that we need to clarify that the `role` checking except "*" will be 
checked in `authorize`, the validation will not check roles except "*" now.

Otherwise, someone might confused that why a framework with `roleA` can 
reserve resoures for `roleB`?



src/tests/reservation_tests.cpp (line 1338)


not yours, but do you mind update this:

s/This princial/The `DEFAULT_CREDENTIAL` principal



src/tests/reservation_tests.cpp (line 1343)


ditto


- Guangya Liu


On 二月 20, 2016, 1:11 a.m., Greg Mann wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43776/
> ---
> 
> (Updated 二月 20, 2016, 1:11 a.m.)
> 
> 
> Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.
> 
> 
> Bugs: MESOS-4591
> https://issues.apache.org/jira/browse/MESOS-4591
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Changed object of the `ReserveResources` ACL to `roles`.
> 
> This solves a problem in which any principal could reserve resources for any 
> role using the '/reserve' operator endpoint. A new test, 
> `ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.
> 
> 
> Diffs
> -
> 
>   include/mesos/authorizer/authorizer.proto 
> 226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
>   src/authorizer/local/authorizer.cpp 
> 9557bbdf68ff182c4538bbf70cee576d717abc05 
>   src/master/master.cpp e5aaf67e63996700b2cdcdd04055ad5b04bfb085 
>   src/master/validation.cpp 66898e914c7b4ab83c4580be67530f355cfb05ca 
>   src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
>   src/tests/master_validation_tests.cpp 
> 6fae01fa1833ae05ec82618a4ae28ac5bd275bd5 
>   src/tests/reservation_endpoints_tests.cpp 
> afe81b1d38a1b3a82583720f26482ddcde8f5e85 
>   src/tests/reservation_tests.cpp d2ef15934556cb879f31850d52712aec77231fc7 
> 
> Diff: https://reviews.apache.org/r/43776/diff/
> 
> 
> Testing
> ---
> 
> Tests were altered to accomodate the new ACL object, and the test 
> `ReserveOperationValidationTest.DisallowReserveForStarRole` was added.
> 
> Ran `configure && make check` and `configure --enable-libevent --enable-ssl 
> && make check` on OSX; all tests passed.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>

Re: Review Request 43776: Changed object of `ReserveResources` ACL to `roles`.

2016-02-19 Thread Greg Mann 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43776/
---

(Updated Feb. 20, 2016, 1:11 a.m.)


Review request for mesos, Adam B, Jie Yu, Michael Park, and Neil Conway.


Summary (updated)
-

Changed object of `ReserveResources` ACL to `roles`.


Bugs: MESOS-4591
https://issues.apache.org/jira/browse/MESOS-4591


Repository: mesos


Description (updated)
---

Changed object of the `ReserveResources` ACL to `roles`.

This solves a problem in which any principal could reserve resources for any 
role using the '/reserve' operator endpoint. A new test, 
`ReserveOperationValidationTest.DisallowReserveForStarRole`, was added.


Diffs
-

  include/mesos/authorizer/authorizer.proto 
226441f8cbd6d0828bf1636cc08c21ffcc75e6a7 
  src/authorizer/local/authorizer.cpp 9557bbdf68ff182c4538bbf70cee576d717abc05 
  src/master/master.cpp e5aaf67e63996700b2cdcdd04055ad5b04bfb085 
  src/master/validation.cpp 66898e914c7b4ab83c4580be67530f355cfb05ca 
  src/tests/authorization_tests.cpp 9d046e8d53cbb6c065a23ca3f7832021ec7faadc 
  src/tests/master_validation_tests.cpp 
6fae01fa1833ae05ec82618a4ae28ac5bd275bd5 
  src/tests/reservation_endpoints_tests.cpp 
afe81b1d38a1b3a82583720f26482ddcde8f5e85 
  src/tests/reservation_tests.cpp d2ef15934556cb879f31850d52712aec77231fc7 

Diff: https://reviews.apache.org/r/43776/diff/


Testing
---

Tests were altered to accomodate the new ACL object, and the test 
`ReserveOperationValidationTest.DisallowReserveForStarRole` was added.

Ran `configure && make check` and `configure --enable-libevent --enable-ssl && 
make check` on OSX; all tests passed.


Thanks,

Greg Mann