You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by an...@apache.org on 2017/03/24 17:01:48 UTC
[1/6] mesos git commit: Allowed the agent to require executor
authentication.
Repository: mesos
Updated Branches:
refs/heads/master 4e2eddb6f -> 1bb7ed289
Allowed the agent to require executor authentication.
This patch updates the agent initialization code to make use
of the new `--authenticate_http_executors` flag. When the
flag is set, authentication is required on the executor realm
and the JWT authenticator is loaded.
Review: https://reviews.apache.org/r/57671/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/1bb7ed28
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/1bb7ed28
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/1bb7ed28
Branch: refs/heads/master
Commit: 1bb7ed28977d9b03c6a9162e8d8d10c7420a47f9
Parents: 3e62a13
Author: Greg Mann <gr...@mesosphere.io>
Authored: Fri Mar 24 10:01:06 2017 -0700
Committer: Anand Mazumdar <an...@apache.org>
Committed: Fri Mar 24 10:01:33 2017 -0700
----------------------------------------------------------------------
src/common/http.cpp | 39 ++++++++++++++++++++++++++++++-
src/common/http.hpp | 7 +++++-
src/slave/flags.cpp | 3 +--
src/slave/flags.hpp | 2 +-
src/slave/slave.cpp | 60 ++++++++++++++++++++++++++++++++++++++++++++----
src/slave/slave.hpp | 6 +++++
6 files changed, 108 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/1bb7ed28/src/common/http.cpp
----------------------------------------------------------------------
diff --git a/src/common/http.cpp b/src/common/http.cpp
index 942761e..7afbc61 100644
--- a/src/common/http.cpp
+++ b/src/common/http.cpp
@@ -30,6 +30,7 @@
#include <mesos/authorizer/authorizer.hpp>
#include <mesos/module/http_authenticator.hpp>
+#include <process/authenticator.hpp>
#include <process/dispatch.hpp>
#include <process/future.hpp>
#include <process/http.hpp>
@@ -59,6 +60,9 @@ using process::Failure;
using process::Owned;
using process::http::authentication::Authenticator;
+#ifdef USE_SSL_SOCKET
+using process::http::authentication::JWTAuthenticator;
+#endif // USE_SSL_SOCKET
using process::http::authentication::Principal;
using process::http::authorization::AuthorizationCallbacks;
@@ -962,6 +966,28 @@ Result<Authenticator*> createBasicAuthenticator(
}
+#ifdef USE_SSL_SOCKET
+Result<Authenticator*> createJWTAuthenticator(
+ const string& realm,
+ const string& authenticatorName,
+ const Option<string>& secretKey)
+{
+ if (secretKey.isNone()) {
+ return Error(
+ "No secret key provided for the default '" +
+ string(internal::DEFAULT_JWT_HTTP_AUTHENTICATOR) +
+ "' HTTP authenticator for realm '" + realm + "'");
+ }
+
+ LOG(INFO) << "Creating default '"
+ << internal::DEFAULT_JWT_HTTP_AUTHENTICATOR
+ << "' HTTP authenticator for realm '" << realm << "'";
+
+ return new JWTAuthenticator(realm, secretKey.get());
+}
+#endif // USE_SSL_SOCKET
+
+
Result<Authenticator*> createCustomAuthenticator(
const string& realm,
const string& authenticatorName)
@@ -986,7 +1012,8 @@ Result<Authenticator*> createCustomAuthenticator(
Try<Nothing> initializeHttpAuthenticators(
const string& realm,
const vector<string>& authenticatorNames,
- const Option<Credentials>& credentials)
+ const Option<Credentials>& credentials,
+ const Option<string>& secretKey)
{
if (authenticatorNames.empty()) {
return Error(
@@ -1000,6 +1027,12 @@ Try<Nothing> initializeHttpAuthenticators(
if (authenticatorNames[0] == internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) {
authenticator_ =
createBasicAuthenticator(realm, authenticatorNames[0], credentials);
+#ifdef USE_SSL_SOCKET
+ } else if (
+ authenticatorNames[0] == internal::DEFAULT_JWT_HTTP_AUTHENTICATOR) {
+ authenticator_ =
+ createJWTAuthenticator(realm, authenticatorNames[0], secretKey);
+#endif // USE_SSL_SOCKET
} else {
authenticator_ = createCustomAuthenticator(realm, authenticatorNames[0]);
}
@@ -1020,6 +1053,10 @@ Try<Nothing> initializeHttpAuthenticators(
Result<Authenticator*> authenticator_ = None();
if (name == internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) {
authenticator_ = createBasicAuthenticator(realm, name, credentials);
+#ifdef USE_SSL_SOCKET
+ } else if (name == internal::DEFAULT_JWT_HTTP_AUTHENTICATOR) {
+ authenticator_ = createJWTAuthenticator(realm, name, secretKey);
+#endif // USE_SSL_SOCKET
} else {
authenticator_ = createCustomAuthenticator(realm, name);
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/1bb7ed28/src/common/http.hpp
----------------------------------------------------------------------
diff --git a/src/common/http.hpp b/src/common/http.hpp
index 23984b3..9a10312 100644
--- a/src/common/http.hpp
+++ b/src/common/http.hpp
@@ -46,6 +46,9 @@ namespace internal {
// Name of the default, basic authenticator.
constexpr char DEFAULT_BASIC_HTTP_AUTHENTICATOR[] = "basic";
+// Name of the default, JWT authenticator.
+constexpr char DEFAULT_JWT_HTTP_AUTHENTICATOR[] = "jwt";
+
extern hashset<std::string> AUTHORIZABLE_ENDPOINTS;
@@ -206,6 +209,7 @@ bool approveViewRole(
* @param realm name of the realm.
* @param authenticatorNames a vector of authenticator names.
* @param credentials optional credentials for BasicAuthenticator only.
+ * @param secretKey optional secret key for the JWTAuthenticator only.
* @return nothing if authenticators are initialized and registered to
* libprocess successfully, or error if authenticators cannot
* be initialized.
@@ -213,7 +217,8 @@ bool approveViewRole(
Try<Nothing> initializeHttpAuthenticators(
const std::string& realm,
const std::vector<std::string>& httpAuthenticatorNames,
- const Option<Credentials>& credentials);
+ const Option<Credentials>& credentials = None(),
+ const Option<std::string>& secretKey = None());
} // namespace mesos {
http://git-wip-us.apache.org/repos/asf/mesos/blob/1bb7ed28/src/slave/flags.cpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp
index 8d2e2e3..7688153 100644
--- a/src/slave/flags.cpp
+++ b/src/slave/flags.cpp
@@ -877,8 +877,7 @@ mesos::internal::slave::Flags::Flags()
"HTTP authenticator implementation to use when handling requests to\n"
"authenticated endpoints. Use the default\n"
"`" + string(DEFAULT_BASIC_HTTP_AUTHENTICATOR) + "`, or load an\n"
- "alternate HTTP authenticator module using `--modules`.",
- DEFAULT_BASIC_HTTP_AUTHENTICATOR);
+ "alternate HTTP authenticator module using `--modules`.");
add(&Flags::authenticate_http_readwrite,
"authenticate_http_readwrite",
http://git-wip-us.apache.org/repos/asf/mesos/blob/1bb7ed28/src/slave/flags.hpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp
index 2d982f9..224fac1 100644
--- a/src/slave/flags.hpp
+++ b/src/slave/flags.hpp
@@ -144,7 +144,7 @@ public:
Option<std::string> modulesDir;
std::string authenticatee;
std::string authorizer;
- std::string http_authenticators;
+ Option<std::string> http_authenticators;
bool authenticate_http_readonly;
bool authenticate_http_readwrite;
#ifdef USE_SSL_SOCKET
http://git-wip-us.apache.org/repos/asf/mesos/blob/1bb7ed28/src/slave/slave.cpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.cpp b/src/slave/slave.cpp
index 3acb29d..d68d6b9 100644
--- a/src/slave/slave.cpp
+++ b/src/slave/slave.cpp
@@ -31,6 +31,8 @@
#include <mesos/type_utils.hpp>
+#include <mesos/authentication/secret_generator.hpp>
+
#include <mesos/module/authenticatee.hpp>
#include <process/async.hpp>
@@ -63,6 +65,10 @@
#include "authentication/cram_md5/authenticatee.hpp"
+#ifdef USE_SSL_SOCKET
+#include "authentication/executor/jwt_secret_generator.hpp"
+#endif // USE_SSL_SOCKET
+
#include "common/build.hpp"
#include "common/protobuf_utils.hpp"
#include "common/resources_utils.hpp"
@@ -98,6 +104,12 @@
using google::protobuf::RepeatedPtrField;
+using mesos::SecretGenerator;
+
+#ifdef USE_SSL_SOCKET
+using mesos::authentication::executor::JWTSecretGenerator;
+#endif // USE_SSL_SOCKET
+
using mesos::authorization::createSubject;
using mesos::executor::Call;
@@ -260,11 +272,50 @@ void Slave::initialize()
httpCredentials = credentials.get();
}
+ string httpAuthenticators;
+ if (flags.http_authenticators.isSome()) {
+ httpAuthenticators = flags.http_authenticators.get();
+#ifdef USE_SSL_SOCKET
+ } else if (flags.authenticate_http_executors) {
+ httpAuthenticators =
+ string(DEFAULT_BASIC_HTTP_AUTHENTICATOR) + "," +
+ string(DEFAULT_JWT_HTTP_AUTHENTICATOR);
+#endif // USE_SSL_SOCKET
+ } else {
+ httpAuthenticators = DEFAULT_BASIC_HTTP_AUTHENTICATOR;
+ }
+
+ Option<string> secretKey;
+#ifdef USE_SSL_SOCKET
+ if (flags.executor_secret_key.isSome()) {
+ secretKey = flags.executor_secret_key.get();
+ secretGenerator.reset(new JWTSecretGenerator(secretKey.get()));
+ }
+
+ if (flags.authenticate_http_executors) {
+ if (flags.executor_secret_key.isNone()) {
+ EXIT(EXIT_FAILURE) << "--executor_secret_key must be specified when "
+ << "--authenticate_http_executors is set to true";
+ }
+
+ Try<Nothing> result = initializeHttpAuthenticators(
+ EXECUTOR_HTTP_AUTHENTICATION_REALM,
+ strings::split(httpAuthenticators, ","),
+ httpCredentials,
+ secretKey);
+
+ if (result.isError()) {
+ EXIT(EXIT_FAILURE) << result.error();
+ }
+ }
+#endif // USE_SSL_SOCKET
+
if (flags.authenticate_http_readonly) {
Try<Nothing> result = initializeHttpAuthenticators(
READONLY_HTTP_AUTHENTICATION_REALM,
- strings::split(flags.http_authenticators, ","),
- httpCredentials);
+ strings::split(httpAuthenticators, ","),
+ httpCredentials,
+ secretKey);
if (result.isError()) {
EXIT(EXIT_FAILURE) << result.error();
@@ -274,8 +325,9 @@ void Slave::initialize()
if (flags.authenticate_http_readwrite) {
Try<Nothing> result = initializeHttpAuthenticators(
READWRITE_HTTP_AUTHENTICATION_REALM,
- strings::split(flags.http_authenticators, ","),
- httpCredentials);
+ strings::split(httpAuthenticators, ","),
+ httpCredentials,
+ secretKey);
if (result.isError()) {
EXIT(EXIT_FAILURE) << result.error();
http://git-wip-us.apache.org/repos/asf/mesos/blob/1bb7ed28/src/slave/slave.hpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.hpp b/src/slave/slave.hpp
index 7ab646e..e06525b 100644
--- a/src/slave/slave.hpp
+++ b/src/slave/slave.hpp
@@ -32,6 +32,8 @@
#include <mesos/agent/agent.hpp>
+#include <mesos/authentication/secret_generator.hpp>
+
#include <mesos/executor/executor.hpp>
#include <mesos/master/detector.hpp>
@@ -884,6 +886,10 @@ private:
// The most recent estimate of the total amount of oversubscribed
// (allocated and oversubscribable) resources.
Option<Resources> oversubscribedResources;
+
+protected:
+ // Made protected for testing purposes.
+ process::Owned<mesos::SecretGenerator> secretGenerator;
};
[5/6] mesos git commit: Enabled authentication on the V1 executor API.
Posted by an...@apache.org.
Enabled authentication on the V1 executor API.
This patch updates the `v1/executor` endpoint on the agent to
route through the correct authentication realm, so that the
agent may require authentication on the executor API.
Review: https://reviews.apache.org/r/57670/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/3e62a134
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/3e62a134
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/3e62a134
Branch: refs/heads/master
Commit: 3e62a134210f1ea3f5de8b02f761d2e50898b70d
Parents: ede7944
Author: Greg Mann <gr...@mesosphere.io>
Authored: Fri Mar 24 10:00:59 2017 -0700
Committer: Anand Mazumdar <an...@apache.org>
Committed: Fri Mar 24 10:01:33 2017 -0700
----------------------------------------------------------------------
src/slave/constants.hpp | 3 +++
src/slave/http.cpp | 4 +++-
src/slave/slave.cpp | 6 ++++--
src/slave/slave.hpp | 4 +++-
4 files changed, 13 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/3e62a134/src/slave/constants.hpp
----------------------------------------------------------------------
diff --git a/src/slave/constants.hpp b/src/slave/constants.hpp
index 1f3c543..ef978d6 100644
--- a/src/slave/constants.hpp
+++ b/src/slave/constants.hpp
@@ -142,6 +142,9 @@ constexpr char READONLY_HTTP_AUTHENTICATION_REALM[] = "mesos-agent-readonly";
// Name of the agent HTTP authentication realm for read-write endpoints.
constexpr char READWRITE_HTTP_AUTHENTICATION_REALM[] = "mesos-agent-readwrite";
+// Name of the agent HTTP authentication realm for HTTP executors.
+constexpr char EXECUTOR_HTTP_AUTHENTICATION_REALM[] = "mesos-agent-executor";
+
// Default maximum storage space to be used by the fetcher cache.
constexpr Bytes DEFAULT_FETCHER_CACHE_SIZE = Gigabytes(2);
http://git-wip-us.apache.org/repos/asf/mesos/blob/3e62a134/src/slave/http.cpp
----------------------------------------------------------------------
diff --git a/src/slave/http.cpp b/src/slave/http.cpp
index 1ab6f94..e253ce9 100644
--- a/src/slave/http.cpp
+++ b/src/slave/http.cpp
@@ -635,7 +635,9 @@ string Slave::Http::EXECUTOR_HELP() {
}
-Future<Response> Slave::Http::executor(const Request& request) const
+Future<Response> Slave::Http::executor(
+ const Request& request,
+ const Option<Principal>& principal) const
{
if (!slave->recoveryInfo.reconnect) {
CHECK(slave->state == RECOVERING);
http://git-wip-us.apache.org/repos/asf/mesos/blob/3e62a134/src/slave/slave.cpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.cpp b/src/slave/slave.cpp
index c6ee4fa..3acb29d 100644
--- a/src/slave/slave.cpp
+++ b/src/slave/slave.cpp
@@ -565,10 +565,12 @@ void Slave::initialize()
options);
route("/api/v1/executor",
+ EXECUTOR_HTTP_AUTHENTICATION_REALM,
Http::EXECUTOR_HELP(),
- [this](const process::http::Request& request) {
+ [this](const process::http::Request& request,
+ const Option<Principal>& principal) {
Http::log(request);
- return http.executor(request);
+ return http.executor(request, principal);
});
// TODO(ijimenez): Remove this endpoint at the end of the
http://git-wip-us.apache.org/repos/asf/mesos/blob/3e62a134/src/slave/slave.hpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.hpp b/src/slave/slave.hpp
index f365a53..7ab646e 100644
--- a/src/slave/slave.hpp
+++ b/src/slave/slave.hpp
@@ -503,7 +503,9 @@ private:
// /api/v1/executor
process::Future<process::http::Response> executor(
- const process::http::Request& request) const;
+ const process::http::Request& request,
+ const Option<process::http::authentication::Principal>&
+ principal) const;
// /slave/flags
process::Future<process::http::Response> flags(
[2/6] mesos git commit: Added the '--authenticate_http_executors'
agent flag.
Posted by an...@apache.org.
Added the '--authenticate_http_executors' agent flag.
This patch adds a new agent flag, `--authenticate_http_executors`,
which requires authentication on the V1 executor API and loads the
default JWT authenticator.
Review: https://reviews.apache.org/r/57666/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/ede79444
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/ede79444
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/ede79444
Branch: refs/heads/master
Commit: ede794446284c5a68dd0ca205e0fee12edfa501c
Parents: faf0c08
Author: Greg Mann <gr...@mesosphere.io>
Authored: Fri Mar 24 10:00:50 2017 -0700
Committer: Anand Mazumdar <an...@apache.org>
Committed: Fri Mar 24 10:01:33 2017 -0700
----------------------------------------------------------------------
docs/configuration.md | 14 ++++++++++++--
src/slave/flags.cpp | 13 ++++++++++---
src/slave/flags.hpp | 3 +++
3 files changed, 25 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/ede79444/docs/configuration.md
----------------------------------------------------------------------
diff --git a/docs/configuration.md b/docs/configuration.md
index 2e9b829..6f1675f 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -127,8 +127,7 @@ HTTP authenticator implementation to use when handling requests to
authenticated endpoints. Use the default
<code>basic</code>, or load an alternate
HTTP authenticator module using <code>--modules</code>.
-<p/>
-Currently there is no support for multiple HTTP authenticators. (default: basic)
+(default: basic, or basic and JWT if executor authentication is enabled)
</td>
</tr>
<tr>
@@ -1050,6 +1049,17 @@ Attributes of the agent machine, in the form:
</tr>
<tr>
<td>
+ --[no-]authenticate_http_executors
+ </td>
+ <td>
+If <code>true</code>, only authenticated requests for the HTTP executor API are
+allowed. If <code>false</code>, unauthenticated requests are also allowed. This
+flag is only available when Mesos is built with SSL support.
+(default: false)
+ </td>
+</tr>
+<tr>
+ <td>
--authenticatee=VALUE
</td>
<td>
http://git-wip-us.apache.org/repos/asf/mesos/blob/ede79444/src/slave/flags.cpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp
index 3c3cbe0..8d2e2e3 100644
--- a/src/slave/flags.cpp
+++ b/src/slave/flags.cpp
@@ -877,9 +877,7 @@ mesos::internal::slave::Flags::Flags()
"HTTP authenticator implementation to use when handling requests to\n"
"authenticated endpoints. Use the default\n"
"`" + string(DEFAULT_BASIC_HTTP_AUTHENTICATOR) + "`, or load an\n"
- "alternate HTTP authenticator module using `--modules`.\n"
- "\n"
- "Currently there is no support for multiple HTTP authenticators.",
+ "alternate HTTP authenticator module using `--modules`.",
DEFAULT_BASIC_HTTP_AUTHENTICATOR);
add(&Flags::authenticate_http_readwrite,
@@ -896,6 +894,15 @@ mesos::internal::slave::Flags::Flags()
"requests to such HTTP endpoints are also allowed.",
false);
+#ifdef USE_SSL_SOCKET
+ add(&Flags::authenticate_http_executors,
+ "authenticate_http_executors",
+ "If `true`, only authenticated requests for the HTTP executor API are\n"
+ "allowed. If `false`, unauthenticated requests are also allowed. This\n"
+ "flag is only available when Mesos is built with SSL support.",
+ false);
+#endif // USE_SSL_SOCKET
+
add(&Flags::http_credentials,
"http_credentials",
"Path to a JSON-formatted file containing credentials used to\n"
http://git-wip-us.apache.org/repos/asf/mesos/blob/ede79444/src/slave/flags.hpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp
index fec0354..2d982f9 100644
--- a/src/slave/flags.hpp
+++ b/src/slave/flags.hpp
@@ -147,6 +147,9 @@ public:
std::string http_authenticators;
bool authenticate_http_readonly;
bool authenticate_http_readwrite;
+#ifdef USE_SSL_SOCKET
+ bool authenticate_http_executors;
+#endif // USE_SSL_SOCKET
Option<Path> http_credentials;
Option<std::string> hooks;
Option<std::string> resource_estimator;
[3/6] mesos git commit: Renamed a constant.
Posted by an...@apache.org.
Renamed a constant.
Renamed the constant containing the default basic HTTP
authenticator's name to accommodate the addition of the
default JWT authenticator.
Review: https://reviews.apache.org/r/57665/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/7a267c9e
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/7a267c9e
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/7a267c9e
Branch: refs/heads/master
Commit: 7a267c9eb0c979780d8d735e1c861a7f3aa28748
Parents: 4e2eddb
Author: Greg Mann <gr...@mesosphere.io>
Authored: Fri Mar 24 10:00:30 2017 -0700
Committer: Anand Mazumdar <an...@apache.org>
Committed: Fri Mar 24 10:01:33 2017 -0700
----------------------------------------------------------------------
src/common/http.cpp | 11 ++++++-----
src/common/http.hpp | 2 +-
src/master/flags.cpp | 10 +++++-----
src/slave/flags.cpp | 6 +++---
4 files changed, 15 insertions(+), 14 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/7a267c9e/src/common/http.cpp
----------------------------------------------------------------------
diff --git a/src/common/http.cpp b/src/common/http.cpp
index ce32ff3..942761e 100644
--- a/src/common/http.cpp
+++ b/src/common/http.cpp
@@ -950,11 +950,12 @@ Result<Authenticator*> createBasicAuthenticator(
if (credentials.isNone()) {
return Error(
"No credentials provided for the default '" +
- string(internal::DEFAULT_HTTP_AUTHENTICATOR) +
+ string(internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) +
"' HTTP authenticator for realm '" + realm + "'");
}
- LOG(INFO) << "Creating default '" << internal::DEFAULT_HTTP_AUTHENTICATOR
+ LOG(INFO) << "Creating default '"
+ << internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR
<< "' HTTP authenticator for realm '" << realm << "'";
return BasicAuthenticatorFactory::create(realm, credentials.get());
@@ -969,7 +970,7 @@ Result<Authenticator*> createCustomAuthenticator(
return Error(
"HTTP authenticator '" + authenticatorName + "' not found. "
"Check the spelling (compare to '" +
- string(internal::DEFAULT_HTTP_AUTHENTICATOR) +
+ string(internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) +
"') or verify that the authenticator was loaded "
"successfully (see --modules)");
}
@@ -996,7 +997,7 @@ Try<Nothing> initializeHttpAuthenticators(
if (authenticatorNames.size() == 1) {
Result<Authenticator*> authenticator_ = None();
- if (authenticatorNames[0] == internal::DEFAULT_HTTP_AUTHENTICATOR) {
+ if (authenticatorNames[0] == internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) {
authenticator_ =
createBasicAuthenticator(realm, authenticatorNames[0], credentials);
} else {
@@ -1017,7 +1018,7 @@ Try<Nothing> initializeHttpAuthenticators(
vector<Owned<Authenticator>> authenticators;
foreach (const string& name, authenticatorNames) {
Result<Authenticator*> authenticator_ = None();
- if (name == internal::DEFAULT_HTTP_AUTHENTICATOR) {
+ if (name == internal::DEFAULT_BASIC_HTTP_AUTHENTICATOR) {
authenticator_ = createBasicAuthenticator(realm, name, credentials);
} else {
authenticator_ = createCustomAuthenticator(realm, name);
http://git-wip-us.apache.org/repos/asf/mesos/blob/7a267c9e/src/common/http.hpp
----------------------------------------------------------------------
diff --git a/src/common/http.hpp b/src/common/http.hpp
index a3cfc5d..23984b3 100644
--- a/src/common/http.hpp
+++ b/src/common/http.hpp
@@ -44,7 +44,7 @@ class Task;
namespace internal {
// Name of the default, basic authenticator.
-constexpr char DEFAULT_HTTP_AUTHENTICATOR[] = "basic";
+constexpr char DEFAULT_BASIC_HTTP_AUTHENTICATOR[] = "basic";
extern hashset<std::string> AUTHORIZABLE_ENDPOINTS;
http://git-wip-us.apache.org/repos/asf/mesos/blob/7a267c9e/src/master/flags.cpp
----------------------------------------------------------------------
diff --git a/src/master/flags.cpp b/src/master/flags.cpp
index d25cfdd..b7a129b 100644
--- a/src/master/flags.cpp
+++ b/src/master/flags.cpp
@@ -516,18 +516,18 @@ mesos::internal::master::Flags::Flags()
"http_authenticators",
"HTTP authenticator implementation to use when handling requests to\n"
"authenticated endpoints. Use the default\n"
- "`" + string(DEFAULT_HTTP_AUTHENTICATOR) + "`, or load an alternate\n"
- "HTTP authenticator module using `--modules`.\n"
+ "`" + string(DEFAULT_BASIC_HTTP_AUTHENTICATOR) + "`, or load an\n"
+ "alternate HTTP authenticator module using `--modules`.\n"
"\n"
"Currently there is no support for multiple HTTP authenticators.",
- DEFAULT_HTTP_AUTHENTICATOR);
+ DEFAULT_BASIC_HTTP_AUTHENTICATOR);
add(&Flags::http_framework_authenticators,
"http_framework_authenticators",
"HTTP authenticator implementation to use when authenticating HTTP\n"
"frameworks. Use the \n"
- "`" + string(DEFAULT_HTTP_AUTHENTICATOR) + "` authenticator or load an\n"
- "alternate authenticator module using `--modules`.\n"
+ "`" + string(DEFAULT_BASIC_HTTP_AUTHENTICATOR) + "` authenticator or\n"
+ "load an alternate authenticator module using `--modules`.\n"
"Must be used in conjunction with `--http_authenticate_frameworks`.\n"
"\n"
"Currently there is no support for multiple HTTP framework\n"
http://git-wip-us.apache.org/repos/asf/mesos/blob/7a267c9e/src/slave/flags.cpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp
index 4637ca6..7198793 100644
--- a/src/slave/flags.cpp
+++ b/src/slave/flags.cpp
@@ -869,11 +869,11 @@ mesos::internal::slave::Flags::Flags()
"http_authenticators",
"HTTP authenticator implementation to use when handling requests to\n"
"authenticated endpoints. Use the default\n"
- "`" + string(DEFAULT_HTTP_AUTHENTICATOR) + "`, or load an alternate\n"
- "HTTP authenticator module using `--modules`.\n"
+ "`" + string(DEFAULT_BASIC_HTTP_AUTHENTICATOR) + "`, or load an\n"
+ "alternate HTTP authenticator module using `--modules`.\n"
"\n"
"Currently there is no support for multiple HTTP authenticators.",
- DEFAULT_HTTP_AUTHENTICATOR);
+ DEFAULT_BASIC_HTTP_AUTHENTICATOR);
add(&Flags::authenticate_http_readwrite,
"authenticate_http_readwrite",
[6/6] mesos git commit: Added the '--executor_secret_key' agent flag.
Posted by an...@apache.org.
Added the '--executor_secret_key' agent flag.
Added a new agent flag, `--executor_secret_key` to allow the
specification of a secret key to be used when generating and
authenticating default executor tokens.
Review: https://reviews.apache.org/r/57664/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/faf0c087
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/faf0c087
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/faf0c087
Branch: refs/heads/master
Commit: faf0c08721b5461de14304ec763dd80377b4fe95
Parents: be2c67c
Author: Greg Mann <gr...@mesosphere.io>
Authored: Fri Mar 24 10:00:40 2017 -0700
Committer: Anand Mazumdar <an...@apache.org>
Committed: Fri Mar 24 10:01:33 2017 -0700
----------------------------------------------------------------------
docs/configuration.md | 9 +++++++++
src/slave/flags.cpp | 7 +++++++
src/slave/flags.hpp | 3 +++
3 files changed, 19 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/faf0c087/docs/configuration.md
----------------------------------------------------------------------
diff --git a/docs/configuration.md b/docs/configuration.md
index 9f74740..2e9b829 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -1405,6 +1405,15 @@ in memory. (default: 150)
</tr>
<tr>
<td>
+ --executor_secret_key=VALUE
+ </td>
+ <td>
+The key used when generating executor secrets. This flag is only
+available when Mesos is built with SSL support.
+ </td>
+</tr>
+<tr>
+ <td>
--executor_shutdown_grace_period=VALUE
</td>
<td>
http://git-wip-us.apache.org/repos/asf/mesos/blob/faf0c087/src/slave/flags.cpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp
index 7198793..3c3cbe0 100644
--- a/src/slave/flags.cpp
+++ b/src/slave/flags.cpp
@@ -342,6 +342,13 @@ mesos::internal::slave::Flags::Flags()
"terminations may occur.",
DEFAULT_EXECUTOR_SHUTDOWN_GRACE_PERIOD);
+#ifdef USE_SSL_SOCKET
+ add(&Flags::executor_secret_key,
+ "executor_secret_key",
+ "The key used when generating executor secrets. This flag is only\n"
+ "available when Mesos is built with SSL support.");
+#endif // USE_SSL_SOCKET
+
add(&Flags::gc_delay,
"gc_delay",
"Maximum amount of time to wait before cleaning up\n"
http://git-wip-us.apache.org/repos/asf/mesos/blob/faf0c087/src/slave/flags.hpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp
index 2c4bd6a..fec0354 100644
--- a/src/slave/flags.hpp
+++ b/src/slave/flags.hpp
@@ -77,6 +77,9 @@ public:
Option<JSON::Object> executor_environment_variables;
Duration executor_registration_timeout;
Duration executor_shutdown_grace_period;
+#ifdef USE_SSL_SOCKET
+ Option<std::string> executor_secret_key;
+#endif // USE_SSL_SOCKET
Duration gc_delay;
double gc_disk_headroom;
Duration disk_watch_interval;
[4/6] mesos git commit: Changed the namespaces of the secret
generators.
Posted by an...@apache.org.
Changed the namespaces of the secret generators.
This patch updates the namespaces of the secret generators.
The `SecretGenerator` is placed into `mesos::`, consistent
with other classes declared in files in the same directory.
The implementations in `src/authentication/` do not exhibit
a consistent pattern, so the `JWTSecretGenerator` was placed
in a namespace indicative of its directory structure:
`mesos::authentication::executor`.
Review: https://reviews.apache.org/r/57840/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/be2c67c1
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/be2c67c1
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/be2c67c1
Branch: refs/heads/master
Commit: be2c67c1525236dda774c7c4a6c1894b7f8eaa81
Parents: 7a267c9
Author: Greg Mann <gr...@mesosphere.io>
Authored: Fri Mar 24 10:00:35 2017 -0700
Committer: Anand Mazumdar <an...@apache.org>
Committed: Fri Mar 24 10:01:33 2017 -0700
----------------------------------------------------------------------
include/mesos/authentication/secret_generator.hpp | 4 ----
include/mesos/module/secret_generator.hpp | 8 ++++----
src/authentication/executor/jwt_secret_generator.cpp | 4 ++--
src/authentication/executor/jwt_secret_generator.hpp | 4 ++--
src/tests/secret_generator_tests.cpp | 2 +-
5 files changed, 9 insertions(+), 13 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/be2c67c1/include/mesos/authentication/secret_generator.hpp
----------------------------------------------------------------------
diff --git a/include/mesos/authentication/secret_generator.hpp b/include/mesos/authentication/secret_generator.hpp
index f2fb0e7..680b0d6 100644
--- a/include/mesos/authentication/secret_generator.hpp
+++ b/include/mesos/authentication/secret_generator.hpp
@@ -23,8 +23,6 @@
#include <process/http.hpp>
namespace mesos {
-namespace http {
-namespace authentication {
/**
* The SecretGenerator interface represents a mechanism to create a secret
@@ -42,8 +40,6 @@ public:
const process::http::authentication::Principal& principal) = 0;
};
-} // namespace authentication {
-} // namespace http {
} // namespace mesos {
#endif // __MESOS_AUTHENTICATION_SECRET_GENERATOR_HPP__
http://git-wip-us.apache.org/repos/asf/mesos/blob/be2c67c1/include/mesos/module/secret_generator.hpp
----------------------------------------------------------------------
diff --git a/include/mesos/module/secret_generator.hpp b/include/mesos/module/secret_generator.hpp
index c8b7d8c..2add6b8 100644
--- a/include/mesos/module/secret_generator.hpp
+++ b/include/mesos/module/secret_generator.hpp
@@ -26,14 +26,14 @@ namespace mesos {
namespace modules {
template <>
-inline const char* kind<mesos::http::authentication::SecretGenerator>()
+inline const char* kind<mesos::SecretGenerator>()
{
return "SecretGenerator";
}
template <>
-struct Module<mesos::http::authentication::SecretGenerator> : ModuleBase
+struct Module<mesos::SecretGenerator> : ModuleBase
{
Module(
const char* _moduleApiVersion,
@@ -47,14 +47,14 @@ struct Module<mesos::http::authentication::SecretGenerator> : ModuleBase
: ModuleBase(
_moduleApiVersion,
_mesosVersion,
- mesos::modules::kind<mesos::http::authentication::SecretGenerator>(),
+ mesos::modules::kind<mesos::SecretGenerator>(),
_authorName,
_authorEmail,
_description,
_compatible),
create(_create) {}
- mesos::http::authentication::SecretGenerator* (*create)(
+ mesos::SecretGenerator* (*create)(
const Parameters& parameters);
};
http://git-wip-us.apache.org/repos/asf/mesos/blob/be2c67c1/src/authentication/executor/jwt_secret_generator.cpp
----------------------------------------------------------------------
diff --git a/src/authentication/executor/jwt_secret_generator.cpp b/src/authentication/executor/jwt_secret_generator.cpp
index 6aed6bd..5530a84 100644
--- a/src/authentication/executor/jwt_secret_generator.cpp
+++ b/src/authentication/executor/jwt_secret_generator.cpp
@@ -22,8 +22,8 @@
#include <stout/stringify.hpp>
namespace mesos {
-namespace http {
namespace authentication {
+namespace executor {
using process::Failure;
using process::Future;
@@ -70,6 +70,6 @@ Future<Secret> JWTSecretGenerator::generate(const Principal& principal)
return result;
}
+} // namespace executor {
} // namespace authentication {
-} // namespace http {
} // namespace mesos {
http://git-wip-us.apache.org/repos/asf/mesos/blob/be2c67c1/src/authentication/executor/jwt_secret_generator.hpp
----------------------------------------------------------------------
diff --git a/src/authentication/executor/jwt_secret_generator.hpp b/src/authentication/executor/jwt_secret_generator.hpp
index a945358..91c0d86 100644
--- a/src/authentication/executor/jwt_secret_generator.hpp
+++ b/src/authentication/executor/jwt_secret_generator.hpp
@@ -25,8 +25,8 @@
#include <process/future.hpp>
namespace mesos {
-namespace http {
namespace authentication {
+namespace executor {
/**
* Creates a VALUE-type secret containing a JWT. When the secret is
@@ -48,8 +48,8 @@ private:
std::string secret_;
};
+} // namespace executor {
} // namespace authentication {
-} // namespace http {
} // namespace mesos {
#endif // __MESOS_AUTHENTICATION_EXECUTOR_JWT_SECRET_GENERATOR_HPP__
http://git-wip-us.apache.org/repos/asf/mesos/blob/be2c67c1/src/tests/secret_generator_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/secret_generator_tests.cpp b/src/tests/secret_generator_tests.cpp
index 81fd54d..7fd649b 100644
--- a/src/tests/secret_generator_tests.cpp
+++ b/src/tests/secret_generator_tests.cpp
@@ -35,7 +35,7 @@ namespace mesos {
namespace internal {
namespace tests {
-using mesos::http::authentication::JWTSecretGenerator;
+using mesos::authentication::executor::JWTSecretGenerator;
using process::Future;