Re: Review Request 67501: Added authorization for storage operations.

2018-06-29 Thread Benjamin Bannier 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205566
---


Ship it!




Ship It!

- Benjamin Bannier


On June 28, 2018, 10:50 a.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 28, 2018, 10:50 a.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/7/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-28 Thread Jan Schlicht 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/
---

(Updated June 28, 2018, 10:50 a.m.)


Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.


Changes
---

Updated documentation to reflect latest changes.


Bugs: MESOS-7329
https://issues.apache.org/jira/browse/MESOS-7329


Repository: mesos


Description
---

Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
`DESTROY_BLOCK` are authorized. Respective ACL actions have been added
to the local authorizer. Currently access can only be given to either
'ANY' or 'NONE' resource providers.


Diffs (updated)
-

  docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
  include/mesos/authorizer/acls.proto e4889939481dabe6c1c2876a54d654f98d00dec8 
  include/mesos/authorizer/authorizer.proto 
bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
  src/authorizer/local/authorizer.cpp 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
  src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
  src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
  src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 


Diff: https://reviews.apache.org/r/67501/diff/7/

Changes: https://reviews.apache.org/r/67501/diff/6-7/


Testing
---

make check


Thanks,

Jan Schlicht

Re: Review Request 67501: Added authorization for storage operations.

2018-06-28 Thread Jan Schlicht 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/
---

(Updated June 28, 2018, 10:47 a.m.)


Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.


Changes
---

Use `role` instead of `principal` as authorization object in 
`DESTROY_BLOCK_DISK` and `DESTROY_MOUNT_DISK`.


Bugs: MESOS-7329
https://issues.apache.org/jira/browse/MESOS-7329


Repository: mesos


Description
---

Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
`DESTROY_BLOCK` are authorized. Respective ACL actions have been added
to the local authorizer. Currently access can only be given to either
'ANY' or 'NONE' resource providers.


Diffs (updated)
-

  docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
  include/mesos/authorizer/acls.proto e4889939481dabe6c1c2876a54d654f98d00dec8 
  include/mesos/authorizer/authorizer.proto 
bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
  src/authorizer/local/authorizer.cpp 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
  src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
  src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
  src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 


Diff: https://reviews.apache.org/r/67501/diff/6/

Changes: https://reviews.apache.org/r/67501/diff/5-6/


Testing
---

make check


Thanks,

Jan Schlicht

Re: Review Request 67501: Added authorization for storage operations.

2018-06-28 Thread Benjamin Bannier 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205492
---




include/mesos/authorizer/acls.proto
Lines 542 (patched)


I had some discussions around using principals to control these `DESTROY_*` 
operations with Jie and Greg.

The take-away was that using principals instead of roles (like e.g., 
already suggested by Chun in this RR) is not something we should do going 
forward. It is already tech debt in the destruction of persistent volumes 
(which is pretty hard to remove in a backwards-compatible way), and we should 
not add it here.

This is related to the fact that when a resource is reserved to a certain 
role, every framework in that role already has access _to the data_ in that 
volume (they could e.g., read and modify the data from a task). By using a 
principal to control destruction we protect the metadata (_some volume `xyz` 
exists_) while we do not protect the actual data (access to the data is based 
on roles). That means using principals to authorized `UNRESERVE` operations is 
useful (it changes data visibility), but does not add real benefits for the 
`DESTROY_*` operations.

Could you use a `required Entity roles` here and below instead? We'd also 
need to update the documentation and ACL validation.


- Benjamin Bannier


On June 27, 2018, 12:40 p.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 27, 2018, 12:40 p.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/5/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-27 Thread Jan Schlicht 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/
---

(Updated June 27, 2018, 12:40 p.m.)


Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.


Changes
---

Addressed issues.


Bugs: MESOS-7329
https://issues.apache.org/jira/browse/MESOS-7329


Repository: mesos


Description
---

Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
`DESTROY_BLOCK` are authorized. Respective ACL actions have been added
to the local authorizer. Currently access can only be given to either
'ANY' or 'NONE' resource providers.


Diffs (updated)
-

  docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
  include/mesos/authorizer/acls.proto e4889939481dabe6c1c2876a54d654f98d00dec8 
  include/mesos/authorizer/authorizer.proto 
bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
  src/authorizer/local/authorizer.cpp 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
  src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
  src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
  src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 


Diff: https://reviews.apache.org/r/67501/diff/5/

Changes: https://reviews.apache.org/r/67501/diff/4-5/


Testing
---

make check


Thanks,

Jan Schlicht

Re: Review Request 67501: Added authorization for storage operations.

2018-06-27 Thread Benjamin Bannier 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205420
---


Fix it, then Ship it!





src/authorizer/local/authorizer.cpp
Line 1657 (original), 1703 (patched)


Remove change in indention here.


- Benjamin Bannier


On June 25, 2018, 3:58 p.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 25, 2018, 3:58 p.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/4/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-25 Thread Chun-Hung Hsiao 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205307
---




include/mesos/authorizer/acls.proto
Line 542 (original), 538 (patched)


Is it because that implementing explicit objects takes significant efforts 
and has a lower priority, so we decided to leave it as a TODO?


- Chun-Hung Hsiao


On June 25, 2018, 1:58 p.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 25, 2018, 1:58 p.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/4/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-25 Thread Mesos Reviewbot 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205293
---



Patch looks great!

Reviews applied: [67501]

Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' 
CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 
MESOS_VERBOSE=1'; ./support/docker-build.sh

- Mesos Reviewbot


On June 25, 2018, 1:58 p.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 25, 2018, 1:58 p.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/4/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-25 Thread Mesos Reviewbot Windows 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205284
---



FAIL: Some of the unit tests failed. Please check the relevant logs.

Reviews applied: `['67501']`

Failed command: `Start-MesosCITesting`

All the build artifacts available at: 
http://dcos-win.westus.cloudapp.azure.com/mesos-build/review/67501

Relevant logs:

- 
[stout-tests-cmake-stdout.log](http://dcos-win.westus.cloudapp.azure.com/mesos-build/review/67501/logs/stout-tests-cmake-stdout.log):

```
   "D:\DCOS\mesos\3rdparty\bzip2-1.0.6.vcxproj" (default target) (6) ->
   (CustomBuild target) -> 
 C:\Program Files (x86)\Microsoft Visual 
Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(171,5):
 error MSB6006: "cmd.exe" exited with code 3. 
[D:\DCOS\mesos\3rdparty\bzip2-1.0.6.vcxproj]


   "D:\DCOS\mesos\3rdparty\stout\tests\stout-tests.vcxproj" (default 
target) (1) ->
   "D:\DCOS\mesos\3rdparty\libarchive-3.3.2.vcxproj" (default target) (3) ->
   "D:\DCOS\mesos\3rdparty\xz-5.2.3.vcxproj" (default target) (4) ->
 C:\Program Files (x86)\Microsoft Visual 
Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(171,5):
 error MSB6006: "cmd.exe" exited with code 3. 
[D:\DCOS\mesos\3rdparty\xz-5.2.3.vcxproj]


   "D:\DCOS\mesos\3rdparty\stout\tests\stout-tests.vcxproj" (default 
target) (1) ->
   "D:\DCOS\mesos\3rdparty\glog-da816ea70.vcxproj" (default target) (8) ->
 C:\Program Files (x86)\Microsoft Visual 
Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(171,5):
 error MSB6006: "cmd.exe" exited with code 3. 
[D:\DCOS\mesos\3rdparty\glog-da816ea70.vcxproj]


   "D:\DCOS\mesos\3rdparty\stout\tests\stout-tests.vcxproj" (default 
target) (1) ->
   "D:\DCOS\mesos\3rdparty\boost-1.65.0.vcxproj" (default target) (10) ->
 C:\Program Files (x86)\Microsoft Visual 
Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(171,5):
 error MSB6006: "cmd.exe" exited with code 3. 
[D:\DCOS\mesos\3rdparty\boost-1.65.0.vcxproj]


   "D:\DCOS\mesos\3rdparty\stout\tests\stout-tests.vcxproj" (default 
target) (1) ->
   "D:\DCOS\mesos\3rdparty\protobuf-3.5.0.vcxproj" (default target) (14) ->
 C:\Program Files (x86)\Microsoft Visual 
Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(171,5):
 error MSB6006: "cmd.exe" exited with code 3. 
[D:\DCOS\mesos\3rdparty\protobuf-3.5.0.vcxproj]

1 Warning(s)
5 Error(s)

Time Elapsed 00:03:15.35
```

- 
[libprocess-tests-cmake-stdout.log](http://dcos-win.westus.cloudapp.azure.com/mesos-build/review/67501/logs/libprocess-tests-cmake-stdout.log):

```
   (CustomBuild target) -> 
 C:\Program Files (x86)\Microsoft Visual 
Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(171,5):
 error MSB6006: "cmd.exe" exited with code 3. 
[D:\DCOS\mesos\3rdparty\bzip2-1.0.6.vcxproj]


   "D:\DCOS\mesos\3rdparty\libprocess\src\tests\libprocess-tests.vcxproj" 
(default target) (1) ->
   "D:\DCOS\mesos\3rdparty\glog-da816ea70.vcxproj" (default target) (14) ->
 C:\Program Files (x86)\Microsoft Visual 
Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(171,5):
 error MSB6006: "cmd.exe" exited with code 3. 
[D:\DCOS\mesos\3rdparty\glog-da816ea70.vcxproj]


   "D:\DCOS\mesos\3rdparty\libprocess\src\tests\libprocess-tests.vcxproj" 
(default target) (1) ->
   "D:\DCOS\mesos\3rdparty\libprocess\examples\example.vcxproj" (default 
target) (8) ->
   "D:\DCOS\mesos\3rdparty\xz-5.2.3.vcxproj" (default target) (19) ->
 C:\Program Files (x86)\Microsoft Visual 
Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(171,5):
 error MSB6006: "cmd.exe" exited with code 3. 
[D:\DCOS\mesos\3rdparty\xz-5.2.3.vcxproj]


   "D:\DCOS\mesos\3rdparty\libprocess\src\tests\libprocess-tests.vcxproj" 
(default target) (1) ->
   "D:\DCOS\mesos\3rdparty\boost-1.65.0.vcxproj" (default target) (3) ->
 C:\Program Files (x86)\Microsoft Visual 
Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(171,5):
 error MSB6006: "cmd.exe" exited with code 3. 
[D:\DCOS\mesos\3rdparty\boost-1.65.0.vcxproj]


   "D:\DCOS\mesos\3rdparty\libprocess\src\tests\libprocess-tests.vcxproj" 
(default target) (1) ->
   "D:\DCOS\mesos\3rdparty\libprocess\examples\example.vcxproj" (default 
target) (8) ->
   "D:\DCOS\mesos\3rdparty\protobuf-3.5.0.vcxproj" (default target) (20) ->
 C:\Program Files (x86)\Microsoft Visual 
Studio\2017\Community\Common7\IDE\VC\VCTargets\Microsoft.CppCommon.targets(171,5):
 error MSB6006: "cmd.exe" exited with code 3. 
[D:\DCOS\mesos\3rdparty\protobuf-3.5.0.vcxproj]

113 Warning(s)
5 Error(s)

Time Elapsed 00:03:29.23
```

-

Re: Review Request 67501: Added authorization for storage operations.

2018-06-25 Thread Jan Schlicht 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/
---

(Updated June 25, 2018, 3:58 p.m.)


Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.


Changes
---

Changed authorization objects. Roles for create operations, principals for 
destroy operations.


Bugs: MESOS-7329
https://issues.apache.org/jira/browse/MESOS-7329


Repository: mesos


Description
---

Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
`DESTROY_BLOCK` are authorized. Respective ACL actions have been added
to the local authorizer. Currently access can only be given to either
'ANY' or 'NONE' resource providers.


Diffs (updated)
-

  docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
  include/mesos/authorizer/acls.proto e4889939481dabe6c1c2876a54d654f98d00dec8 
  include/mesos/authorizer/authorizer.proto 
bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
  src/authorizer/local/authorizer.cpp 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
  src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
  src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
  src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 


Diff: https://reviews.apache.org/r/67501/diff/4/

Changes: https://reviews.apache.org/r/67501/diff/3-4/


Testing
---

make check


Thanks,

Jan Schlicht

Re: Review Request 67501: Added authorization for storage operations.

2018-06-25 Thread Jan Schlicht 


> On June 21, 2018, 5:39 p.m., Chun-Hung Hsiao wrote:
> > include/mesos/authorizer/acls.proto
> > Lines 534 (patched)
> > 
> >
> > The patch looks good overall. But I'd like to raise a discussion about 
> > the object entity. Why are we planning to use resource providers but not 
> > roles, like the other offer operations?
> 
> Chun-Hung Hsiao wrote:
> It seems to me that `roles` fit better here since the resource only has a 
> provider ID, which is a dynamically generated value, and would be hard for 
> the operator to set it up. Thoughts?

I agree, thanks for catching this! Similar to resource reservation, create 
operations should be authorized per role, destroy operations authorized per 
creator principal.


- Jan


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205178
---


On June 21, 2018, 2:34 p.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 21, 2018, 2:34 p.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/3/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-21 Thread Chun-Hung Hsiao 


> On June 21, 2018, 3:39 p.m., Chun-Hung Hsiao wrote:
> > include/mesos/authorizer/acls.proto
> > Lines 534 (patched)
> > 
> >
> > The patch looks good overall. But I'd like to raise a discussion about 
> > the object entity. Why are we planning to use resource providers but not 
> > roles, like the other offer operations?

It seems to me that `roles` fit better here since the resource only has a 
provider ID, which is a dynamically generated value, and would be hard for the 
operator to set it up. Thoughts?


- Chun-Hung


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205178
---


On June 21, 2018, 12:34 p.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 21, 2018, 12:34 p.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/3/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-21 Thread Mesos Reviewbot 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205219
---



Patch looks great!

Reviews applied: [67501]

Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' 
CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 
MESOS_VERBOSE=1'; ./support/docker-build.sh

- Mesos Reviewbot


On June 21, 2018, 12:34 p.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 21, 2018, 12:34 p.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/3/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-21 Thread Chun-Hung Hsiao 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205178
---


Fix it, then Ship it!





include/mesos/authorizer/acls.proto
Lines 534 (patched)


The patch looks good overall. But I'd like to raise a discussion about the 
object entity. Why are we planning to use resource providers but not roles, 
like the other offer operations?


- Chun-Hung Hsiao


On June 21, 2018, 12:34 p.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 21, 2018, 12:34 p.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/3/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-21 Thread Mesos Reviewbot Windows 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205176
---



PASS: Mesos patch 67501 was successfully built and tested.

Reviews applied: `['67501']`

All the build artifacts available at: 
http://dcos-win.westus.cloudapp.azure.com/mesos-build/review/67501

- Mesos Reviewbot Windows


On June 21, 2018, 5:34 a.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 21, 2018, 5:34 a.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/3/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-21 Thread Benjamin Bannier 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205166
---


Ship it!




Ship It!

- Benjamin Bannier


On June 21, 2018, 2:34 p.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 21, 2018, 2:34 p.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/3/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-21 Thread Jan Schlicht 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/
---

(Updated June 21, 2018, 2:34 p.m.)


Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.


Changes
---

Addressed issues.


Bugs: MESOS-7329
https://issues.apache.org/jira/browse/MESOS-7329


Repository: mesos


Description
---

Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
`DESTROY_BLOCK` are authorized. Respective ACL actions have been added
to the local authorizer. Currently access can only be given to either
'ANY' or 'NONE' resource providers.


Diffs (updated)
-

  docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
  include/mesos/authorizer/acls.proto e4889939481dabe6c1c2876a54d654f98d00dec8 
  include/mesos/authorizer/authorizer.proto 
bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
  src/authorizer/local/authorizer.cpp 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
  src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
  src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a 
  src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 


Diff: https://reviews.apache.org/r/67501/diff/3/

Changes: https://reviews.apache.org/r/67501/diff/2-3/


Testing
---

make check


Thanks,

Jan Schlicht

Re: Review Request 67501: Added authorization for storage operations.

2018-06-20 Thread Benjamin Bannier 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205083
---


Fix it, then Ship it!





docs/authorization.md
Lines 334-365 (patched)


Let's move these up to the other actions related to offer operations, e.g., 
right below `resize_volume`.



docs/authorization.md
Lines 340 (patched)


Can you use basic forms here and below (create, destroy)?



docs/csi.md
Lines 788-793 (original), 788-800 (patched)


Not sure we should mention these operation ACLs is this document concerned 
with low-level CSI setup aspects.

Suggest to just drop the changes here.



include/mesos/authorizer/authorizer.proto
Lines 261-262 (patched)


These comments are incorrect as we will set a `Resource` object. Change to 

   // `FOO_BAR` will have an object with `Resource` set.
   
Here and below.



src/authorizer/local/authorizer.cpp
Lines 730 (patched)


We might want to add the comment you also added to `acls.proto`,

// TODO(nfnt): Consider allowing granular permission to act upon
// SOME resource provider types and names.



src/master/master.hpp
Lines 901 (patched)


Let's make the first sentence here more specific, e.g.,

Returns whether the `CREATE_VOLUME` operation ...

Here and below.


- Benjamin Bannier


On June 20, 2018, 12:44 p.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 20, 2018, 12:44 p.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   docs/csi.md 7c38fc10633aa28d012606150099ab5cc4b60cb6 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 5db5a8da85f02323a5654c93ac47ec4aa7e711d2 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/2/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-20 Thread Mesos Reviewbot 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205066
---



Patch looks great!

Reviews applied: [67501]

Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' 
CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 
MESOS_VERBOSE=1'; ./support/docker-build.sh

- Mesos Reviewbot


On June 20, 2018, 10:44 a.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 20, 2018, 10:44 a.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   docs/csi.md 7c38fc10633aa28d012606150099ab5cc4b60cb6 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 5db5a8da85f02323a5654c93ac47ec4aa7e711d2 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/2/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-20 Thread Mesos Reviewbot Windows 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/#review205060
---



PASS: Mesos patch 67501 was successfully built and tested.

Reviews applied: `['67501']`

All the build artifacts available at: 
http://dcos-win.westus.cloudapp.azure.com/mesos-build/review/67501

- Mesos Reviewbot Windows


On June 20, 2018, 10:44 a.m., Jan Schlicht wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67501/
> ---
> 
> (Updated June 20, 2018, 10:44 a.m.)
> 
> 
> Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.
> 
> 
> Bugs: MESOS-7329
> https://issues.apache.org/jira/browse/MESOS-7329
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
> `DESTROY_BLOCK` are authorized. Respective ACL actions have been added
> to the local authorizer. Currently access can only be given to either
> 'ANY' or 'NONE' resource providers.
> 
> 
> Diffs
> -
> 
>   docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
>   docs/csi.md 7c38fc10633aa28d012606150099ab5cc4b60cb6 
>   include/mesos/authorizer/acls.proto 
> e4889939481dabe6c1c2876a54d654f98d00dec8 
>   include/mesos/authorizer/authorizer.proto 
> bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
>   src/authorizer/local/authorizer.cpp 
> 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
>   src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
>   src/master/master.cpp 5db5a8da85f02323a5654c93ac47ec4aa7e711d2 
>   src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 
> 
> 
> Diff: https://reviews.apache.org/r/67501/diff/2/
> 
> 
> Testing
> ---
> 
> make check
> 
> 
> Thanks,
> 
> Jan Schlicht
> 
>

Re: Review Request 67501: Added authorization for storage operations.

2018-06-20 Thread Jan Schlicht 

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67501/
---

(Updated June 20, 2018, 12:44 p.m.)


Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao.


Changes
---

Renamed authorization actions.


Summary (updated)
-

Added authorization for storage operations.


Bugs: MESOS-7329
https://issues.apache.org/jira/browse/MESOS-7329


Repository: mesos


Description
---

Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`,
`DESTROY_BLOCK` are authorized. Respective ACL actions have been added
to the local authorizer. Currently access can only be given to either
'ANY' or 'NONE' resource providers.


Diffs (updated)
-

  docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 
  docs/csi.md 7c38fc10633aa28d012606150099ab5cc4b60cb6 
  include/mesos/authorizer/acls.proto e4889939481dabe6c1c2876a54d654f98d00dec8 
  include/mesos/authorizer/authorizer.proto 
bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 
  src/authorizer/local/authorizer.cpp 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e 
  src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c 
  src/master/master.cpp 5db5a8da85f02323a5654c93ac47ec4aa7e711d2 
  src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 


Diff: https://reviews.apache.org/r/67501/diff/2/

Changes: https://reviews.apache.org/r/67501/diff/1-2/


Testing
---

make check


Thanks,

Jan Schlicht