You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by bm...@apache.org on 2018/08/15 22:49:12 UTC

[mesos] 05/07: Increased and added flag for the master's authentication timeout.

This is an automated email from the ASF dual-hosted git repository.

bmahler pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 9a1e3ba1724aea950053e6956f58a942bdfdede7
Author: Benjamin Mahler <bm...@apache.org>
AuthorDate: Fri Aug 10 17:09:52 2018 -0700

    Increased and added flag for the master's authentication timeout.
    
    There is not a lot of value in the master timing out a client's
    authentication, other than releasing a small amount of resources.
    We currently have a burned in 5 second timeout, which is largely
    sufficient since most authenticators are implemented to use an
    actor per session and avoid any head-of-line blocking.
    
    Ideally, the master would know how long the client's timeout and
    the master can use that for its own timeout. The current max backoff
    for schedulers and agents is 1 minute, so this patch bumps the
    master's timeout to be closer to that (15 seconds). We don't bump it
    further because the vast majority of the timeout time is spent in
    the initial trip through the master's queue, which occurs before
    the master sets up its timeout.
    
    This also adds a flag, both to allow users to tune this, as well
    as to allow us to control timing in tests.
    
    Review: https://reviews.apache.org/r/68305
---
 docs/authentication.md       |  4 ++++
 docs/configuration/master.md |  9 +++++++++
 src/master/constants.hpp     |  8 ++++++++
 src/master/flags.cpp         | 10 ++++++++++
 src/master/flags.hpp         |  1 +
 src/master/master.cpp        |  2 +-
 6 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/docs/authentication.md b/docs/authentication.md
index ab3791b..f8fc6a9 100644
--- a/docs/authentication.md
+++ b/docs/authentication.md
@@ -64,6 +64,10 @@ Mesos master and agent processes. For more information, refer to the
   allowed to register. If `false` (the default), unauthenticated agents are also
   allowed to register.
 
+* `--authentication_v0_timeout` - The timeout within which an authentication is
+  expected to complete against a v0 framework or agent. This does not apply to
+  the v0 or v1 HTTP APIs.(default: `15secs`)
+
 * `--authenticators` - Specifies which authenticator module to use.  The default
   is `crammd5`, but additional modules can be added using the `--modules`
   option.
diff --git a/docs/configuration/master.md b/docs/configuration/master.md
index 2090090..f290e37 100644
--- a/docs/configuration/master.md
+++ b/docs/configuration/master.md
@@ -265,6 +265,15 @@ load an alternate authenticator module using <code>--modules</code>. (default: c
   </td>
 </tr>
 
+<tr id="authentication_v0_timeout">
+  <td>
+    --authentication_v0_timeout=VALUE
+  </td>
+  <td>
+The timeout within which an authentication is expected to complete against a v0 framework or agent. This does not apply to the v0 or v1 HTTP APIs. (default: <code>15secs</code>)
+  </td>
+</tr>
+
 <tr id="authorizers">
   <td>
     --authorizers=VALUE
diff --git a/src/master/constants.hpp b/src/master/constants.hpp
index f3b257a..76ad0c3 100644
--- a/src/master/constants.hpp
+++ b/src/master/constants.hpp
@@ -47,6 +47,14 @@ constexpr double MIN_CPUS = 0.01;
 // Minimum amount of memory per offer.
 constexpr Bytes MIN_MEM = Megabytes(32);
 
+// Default timeout for v0 framework and agent authentication
+// before the master cancels an in-progress authentication.
+//
+// TODO(bmahler): Ideally, we remove this v0-style authentication
+// in favor of just using HTTP authentication at the libprocess
+// layer.
+constexpr Duration DEFAULT_AUTHENTICATION_V0_TIMEOUT = Seconds(15);
+
 // Default interval the master uses to send heartbeats to an HTTP
 // scheduler.
 constexpr Duration DEFAULT_HEARTBEAT_INTERVAL = Seconds(15);
diff --git a/src/master/flags.cpp b/src/master/flags.cpp
index 8fede0d..6ad53ed 100644
--- a/src/master/flags.cpp
+++ b/src/master/flags.cpp
@@ -231,6 +231,16 @@ mesos::internal::master::Flags::Flags()
       "If `false`, unauthenticated agents are also allowed to register.",
       false);
 
+  // TODO(bmahler): Ideally, we remove this v0-style authentication
+  // in favor of just using HTTP authentication at the libprocess
+  // layer.
+  add(&Flags::authentication_v0_timeout,
+      "authentication_v0_timeout",
+      "The timeout within which an authentication is expected\n"
+      "to complete against a v0 framework or agent. This does not\n"
+      "apply to the v0 or v1 HTTP APIs.",
+      DEFAULT_AUTHENTICATION_V0_TIMEOUT);
+
   // TODO(zhitao): Remove deprecated `--authenticate_http` flag name after
   // the deprecation cycle which started with Mesos 1.0.
   add(&Flags::authenticate_http_readwrite,
diff --git a/src/master/flags.hpp b/src/master/flags.hpp
index 3929c29..4a26015 100644
--- a/src/master/flags.hpp
+++ b/src/master/flags.hpp
@@ -68,6 +68,7 @@ public:
   Option<std::string> weights;
   bool authenticate_frameworks;
   bool authenticate_agents;
+  Duration authentication_v0_timeout;
   bool authenticate_http_readonly;
   bool authenticate_http_readwrite;
   bool authenticate_http_frameworks;
diff --git a/src/master/master.cpp b/src/master/master.cpp
index 400a83e..17bd283 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -9612,7 +9612,7 @@ void Master::authenticate(const UPID& from, const UPID& pid)
   future.onAny(defer(self(), &Self::_authenticate, pid, lambda::_1));
 
   // Don't wait for authentication to complete forever.
-  delay(Seconds(5),
+  delay(flags.authentication_v0_timeout,
         self(),
         &Self::authenticationTimeout,
         future);