Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5369

Coarse-grained authorization of endpoints is supported only for short url paths.

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.0.0
    • Fix Version/s: None
    • Component/s: None

      Description

      For coarse-grained authorization actions, e.g., GET_ENDPOINT_WITH_PATH, we currently pass the short version of the url path, i.e., /state instead of /master/state, to the authorizer in some cases. This means that ACLs for local authorizer will not work as expected if absolute paths are used. Moreover, both local and modularized authorizers should be able to understand both short url paths for endpoints that belong to the "major" actor process (e.g., master, agent) and absolute url paths for all other actors (e.g., /files/browse, /metrics/snapshot.

      One possible solution is to pass absolute paths to authorizers and let them do the necessary processing, e.g., removing agent id from /slave(id)/state. This will also require normalizing endpoints from ACLs to absolute path form, similarly as we have done in MESOS-3143. Additionally this solution removes ambiguity which may arise for same endpoints belonging to different actors, e.g., /master/flags vs. /slave/flags.

      Here are some code snippets to illustrate the problem and the reasons:

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexr Alexander Rukletsov
                Shepherd:
                Alexander Rukletsov
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated: