You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ti...@apache.org on 2015/12/18 21:02:00 UTC
[2/7] mesos git commit: Quota: Implemented authorization of set quota
requests in the authorizer.
Quota: Implemented authorization of set quota requests in the authorizer.
Review: https://reviews.apache.org/r/40346/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/df99dbb8
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/df99dbb8
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/df99dbb8
Branch: refs/heads/master
Commit: df99dbb87cd93e392efb59d8d49c1376652e3bbb
Parents: 0f2bd3b
Author: Jan Schlicht <ja...@mesosphere.io>
Authored: Fri Dec 18 17:43:43 2015 +0100
Committer: Till Toenshoff <to...@me.com>
Committed: Fri Dec 18 17:49:19 2015 +0100
----------------------------------------------------------------------
include/mesos/authorizer/authorizer.hpp | 19 ++++++++++++++++++
src/authorizer/local/authorizer.cpp | 30 ++++++++++++++++++++++++++++
src/authorizer/local/authorizer.hpp | 2 ++
src/tests/mesos.cpp | 3 +++
src/tests/mesos.hpp | 2 ++
5 files changed, 56 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/df99dbb8/include/mesos/authorizer/authorizer.hpp
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/authorizer.hpp b/include/mesos/authorizer/authorizer.hpp
index aa9bb8b..19f6e1a 100644
--- a/include/mesos/authorizer/authorizer.hpp
+++ b/include/mesos/authorizer/authorizer.hpp
@@ -211,6 +211,25 @@ public:
virtual process::Future<bool> authorize(
const ACL::DestroyVolume& request) = 0;
+ /**
+ * Used to verify if a principal is allowed to set a quota for a specific
+ * role. The principal and role parameters are packed in `request`. If the
+ * principal is allowed to perform the action, this method returns true,
+ * otherwise it returns false. A third possible outcome is that the future
+ * fails. This indicates that the request could not be checked at the
+ * moment. This may be a temporary condition.
+ *
+ * @param request An instance of an `ACL::SetQuota` protobuf message. It
+ * packs all the parameters needed to verify if the given principal is
+ * allowed to request a quota with the specified role.
+ *
+ * @return true if the principal is allowed to set a quota for the specified
+ * role or false otherwise. A failed future however indicates a problem
+ * processing the request and the request can be retried.
+ */
+ virtual process::Future<bool> authorize(
+ const ACL::SetQuota& request) = 0;
+
protected:
Authorizer() {}
};
http://git-wip-us.apache.org/repos/asf/mesos/blob/df99dbb8/src/authorizer/local/authorizer.cpp
----------------------------------------------------------------------
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index 46e181a..1d135fb 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -149,6 +149,21 @@ public:
return acls.permissive(); // None of the ACLs match.
}
+ Future<bool> authorize(const ACL::SetQuota& request)
+ {
+ foreach (const ACL::SetQuota& acl, acls.set_quotas()) {
+ // ACL matches if both subjects and objects match.
+ if (matches(request.principals(), acl.principals()) &&
+ matches(request.roles(), acl.roles())) {
+ // ACL is allowed if both subjects and objects are allowed.
+ return allows(request.principals(), acl.principals()) &&
+ allows(request.roles(), acl.roles());
+ }
+ }
+
+ return acls.permissive(); // None of the ACLs match.
+ }
+
private:
// Match matrix:
//
@@ -283,6 +298,7 @@ LocalAuthorizer::~LocalAuthorizer()
}
}
+
Try<Nothing> LocalAuthorizer::initialize(const Option<ACLs>& acls)
{
if (!acls.isSome()) {
@@ -408,5 +424,19 @@ Future<bool> LocalAuthorizer::authorize(const ACL::DestroyVolume& request)
process, static_cast<F>(&LocalAuthorizerProcess::authorize), request);
}
+
+Future<bool> LocalAuthorizer::authorize(const ACL::SetQuota& request)
+{
+ if (process == NULL) {
+ return Failure("Authorizer not initialized");
+ }
+
+ // Necessary to disambiguate.
+ typedef Future<bool>(LocalAuthorizerProcess::*F)(const ACL::SetQuota&);
+
+ return dispatch(
+ process, static_cast<F>(&LocalAuthorizerProcess::authorize), request);
+}
+
} // namespace internal {
} // namespace mesos {
http://git-wip-us.apache.org/repos/asf/mesos/blob/df99dbb8/src/authorizer/local/authorizer.hpp
----------------------------------------------------------------------
diff --git a/src/authorizer/local/authorizer.hpp b/src/authorizer/local/authorizer.hpp
index eb95c9f..1563c11 100644
--- a/src/authorizer/local/authorizer.hpp
+++ b/src/authorizer/local/authorizer.hpp
@@ -65,6 +65,8 @@ public:
const ACL::CreateVolume& request);
virtual process::Future<bool> authorize(
const ACL::DestroyVolume& request);
+ virtual process::Future<bool> authorize(
+ const ACL::SetQuota& request);
private:
LocalAuthorizer();
http://git-wip-us.apache.org/repos/asf/mesos/blob/df99dbb8/src/tests/mesos.cpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.cpp b/src/tests/mesos.cpp
index 50ba8c4..11ca051 100644
--- a/src/tests/mesos.cpp
+++ b/src/tests/mesos.cpp
@@ -696,6 +696,9 @@ MockAuthorizer::MockAuthorizer()
EXPECT_CALL(*this, authorize(An<const mesos::ACL::DestroyVolume&>()))
.WillRepeatedly(Return(true));
+ EXPECT_CALL(*this, authorize(An<const mesos::ACL::SetQuota&>()))
+ .WillRepeatedly(Return(true));
+
EXPECT_CALL(*this, initialize(An<const Option<ACLs>&>()))
.WillRepeatedly(Return(Nothing()));
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/df99dbb8/src/tests/mesos.hpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.hpp b/src/tests/mesos.hpp
index 1c6acab..582b018 100644
--- a/src/tests/mesos.hpp
+++ b/src/tests/mesos.hpp
@@ -1209,6 +1209,8 @@ public:
authorize, process::Future<bool>(const ACL::CreateVolume& request));
MOCK_METHOD1(
authorize, process::Future<bool>(const ACL::DestroyVolume& request));
+ MOCK_METHOD1(
+ authorize, process::Future<bool>(const ACL::SetQuota& request));
};