[MESOS-5730] Sandbox access authorization should fail for non existing sandboxes. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 1.0.0
Fix Version/s: None
Component/s: security
Labels:

Epic Link:
Authorization Improvements
Sprint:
Mesosphere Sprint 38

Description

The local authorizer currently tries to authorize ACCESS_SANDBOX even if no further object specification - e.g. framework_info or executor_info) where specified / available at that time.

Given that there is likely no sandbox available if there was no executor_info provided, I think we should actually fail instead of allow or deny (403).

A failure would result into an IMHO more appropriate ServiceUnavailable (503).

See https://github.com/apache/mesos/commit/c8d67590064e35566274116cede9c6a733187b48#diff-dd692b1640b2628014feca01a94ba1e1R241

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Till Toenshoff

Shepherd:: Till Toenshoff

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 28/Jun/16 02:15

Updated:: 29/Apr/19 09:26