For coarse-grained authorization actions, e.g., GET_ENDPOINT_WITH_PATH, we currently pass the short version of the url path, i.e., /state instead of /master/state, to the authorizer in some cases. This means that ACLs for local authorizer will not work as expected if absolute paths are used. Moreover, both local and modularized authorizers should be able to understand both short url paths for endpoints that belong to the "major" actor process (e.g., master, agent) and absolute url paths for all other actors (e.g., /files/browse, /metrics/snapshot.
One possible solution is to pass absolute paths to authorizers and let them do the necessary processing, e.g., removing agent id from /slave(id)/state. This will also require normalizing endpoints from ACLs to absolute path form, similarly as we have done in
MESOS-3143. Additionally this solution removes ambiguity which may arise for same endpoints belonging to different actors, e.g., /master/flags vs. /slave/flags.
Here are some code snippets to illustrate the problem and the reasons: