You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by jo...@apache.org on 2017/11/15 08:13:26 UTC
[02/15] mesos git commit: Added ACLs and AuthZ for standalone
containers.
Added ACLs and AuthZ for standalone containers.
This defines some coarse-grained AuthZ for launching and managing
standalone containers. Each HTTP principal can be given the right
to Launch, Wait upon, Kill, or Remove standalone containers under
a given (posix) user.
Review: https://reviews.apache.org/r/60891
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/e05dc9e7
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/e05dc9e7
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/e05dc9e7
Branch: refs/heads/master
Commit: e05dc9e719bb1e71fda6a42771135425765a6b2d
Parents: 3f25be1
Author: Joseph Wu <jo...@apache.org>
Authored: Fri Jul 14 17:09:41 2017 -0700
Committer: Joseph Wu <jo...@apache.org>
Committed: Tue Nov 14 16:58:40 2017 -0800
----------------------------------------------------------------------
include/mesos/authorizer/acls.proto | 57 ++++++++++++++++
include/mesos/authorizer/authorizer.proto | 24 +++++++
src/authorizer/local/authorizer.cpp | 92 ++++++++++++++++++++++++++
3 files changed, 173 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/e05dc9e7/include/mesos/authorizer/acls.proto
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/acls.proto b/include/mesos/authorizer/acls.proto
index 587b714..6f36470 100644
--- a/include/mesos/authorizer/acls.proto
+++ b/include/mesos/authorizer/acls.proto
@@ -414,6 +414,59 @@ message ACL {
// access.
required Entity agents = 2;
}
+
+ // Which principals are authorized to launch standalone containers.
+ message LaunchStandaloneContainer {
+ // Subjects: HTTP Username.
+ required Entity principals = 1;
+
+ // Objects: Given implicitly.
+ // Use Entity type ANY or NONE to allow or deny access.
+ //
+ // TODO(josephw): Consider allowing granular permission to launch as
+ // SOME particular operating system users (e.g., linux users).
+ required Entity users = 2;
+ }
+
+ // Which principals are authorized to kill a standalone container.
+ message KillStandaloneContainer {
+ // Subjects: HTTP Username.
+ required Entity principals = 1;
+
+ // Objects: Given implicitly.
+ // Use Entity type ANY or NONE to allow or deny access.
+ //
+ // TODO(josephw): Consider allowing granular permission to act upon
+ // SOME particular operating system users (e.g., linux users).
+ required Entity users = 2;
+ }
+
+ // Which principals are authorized to wait on a standalone container.
+ message WaitStandaloneContainer {
+ // Subjects: HTTP Username.
+ required Entity principals = 1;
+
+ // Objects: Given implicitly.
+ // Use Entity type ANY or NONE to allow or deny access.
+ //
+ // TODO(josephw): Consider allowing granular permission to act upon
+ // SOME particular operating system users (e.g., linux users).
+ required Entity users = 2;
+ }
+
+ // Which principals are authorized to remove the artifacts (sandbox
+ // and runtime directories) of a standalone container.
+ message RemoveStandaloneContainer {
+ // Subjects: HTTP Username.
+ required Entity principals = 1;
+
+ // Objects: Given implicitly.
+ // Use Entity type ANY or NONE to allow or deny access.
+ //
+ // TODO(josephw): Consider allowing granular permission to act upon
+ // SOME particular operating system users (e.g., linux users).
+ required Entity users = 2;
+ }
}
@@ -485,4 +538,8 @@ message ACLs {
repeated ACL.StopMaintenance stop_maintenances = 38;
repeated ACL.GetMaintenanceStatus get_maintenance_statuses = 39;
repeated ACL.MarkAgentGone mark_agents_gone = 40;
+ repeated ACL.LaunchStandaloneContainer launch_standalone_container = 41;
+ repeated ACL.KillStandaloneContainer kill_standalone_container = 42;
+ repeated ACL.WaitStandaloneContainer wait_standalone_container = 43;
+ repeated ACL.RemoveStandaloneContainer remove_standalone_container = 44;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/e05dc9e7/include/mesos/authorizer/authorizer.proto
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto
index 87a8057..d84295f 100644
--- a/include/mesos/authorizer/authorizer.proto
+++ b/include/mesos/authorizer/authorizer.proto
@@ -217,6 +217,30 @@ enum Action {
// This action will not fill in any object fields, since a principal is
// either allowed to mark an agent as gone or is unauthorized.
MARK_AGENT_GONE = 34;
+
+ // This action will not fill in any object fields. A principal is either
+ // allowed to launch standalone containers or is unauthorized.
+ //
+ // TODO(josephw): This should set the operating system user in the object.
+ LAUNCH_STANDALONE_CONTAINER = 35;
+
+ // This action will not fill in any object fields. A principal is either
+ // allowed to kill standalone containers or is unauthorized.
+ //
+ // TODO(josephw): This should set the operating system user in the object.
+ KILL_STANDALONE_CONTAINER = 36;
+
+ // This action will not fill in any object fields. A principal is either
+ // allowed to wait upon standalone containers or is unauthorized.
+ //
+ // TODO(josephw): This should set the operating system user in the object.
+ WAIT_STANDALONE_CONTAINER = 37;
+
+ // This action will not fill in any object fields. A principal is either
+ // allowed to remove standalone containers or is unauthorized.
+ //
+ // TODO(josephw): This should set the operating system user in the object.
+ REMOVE_STANDALONE_CONTAINER = 38;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/e05dc9e7/src/authorizer/local/authorizer.cpp
----------------------------------------------------------------------
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index 2fe7b87..35bf03c 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -396,6 +396,10 @@ public:
}
break;
+ case authorization::LAUNCH_STANDALONE_CONTAINER:
+ case authorization::KILL_STANDALONE_CONTAINER:
+ case authorization::WAIT_STANDALONE_CONTAINER:
+ case authorization::REMOVE_STANDALONE_CONTAINER:
case authorization::GET_MAINTENANCE_SCHEDULE:
case authorization::GET_MAINTENANCE_STATUS:
case authorization::MARK_AGENT_GONE:
@@ -665,11 +669,14 @@ public:
case authorization::GET_MAINTENANCE_SCHEDULE:
case authorization::GET_MAINTENANCE_STATUS:
case authorization::KILL_NESTED_CONTAINER:
+ case authorization::KILL_STANDALONE_CONTAINER:
case authorization::LAUNCH_NESTED_CONTAINER:
case authorization::LAUNCH_NESTED_CONTAINER_SESSION:
+ case authorization::LAUNCH_STANDALONE_CONTAINER:
case authorization::MARK_AGENT_GONE:
case authorization::REGISTER_AGENT:
case authorization::REMOVE_NESTED_CONTAINER:
+ case authorization::REMOVE_STANDALONE_CONTAINER:
case authorization::RUN_TASK:
case authorization::SET_LOG_LEVEL:
case authorization::START_MAINTENANCE:
@@ -683,6 +690,7 @@ public:
case authorization::VIEW_FRAMEWORK:
case authorization::VIEW_TASK:
case authorization::WAIT_NESTED_CONTAINER:
+ case authorization::WAIT_STANDALONE_CONTAINER:
case authorization::UNKNOWN:
UNREACHABLE();
}
@@ -876,11 +884,14 @@ public:
case authorization::GET_MAINTENANCE_SCHEDULE:
case authorization::GET_MAINTENANCE_STATUS:
case authorization::KILL_NESTED_CONTAINER:
+ case authorization::KILL_STANDALONE_CONTAINER:
case authorization::LAUNCH_NESTED_CONTAINER:
case authorization::LAUNCH_NESTED_CONTAINER_SESSION:
+ case authorization::LAUNCH_STANDALONE_CONTAINER:
case authorization::MARK_AGENT_GONE:
case authorization::REGISTER_AGENT:
case authorization::REMOVE_NESTED_CONTAINER:
+ case authorization::REMOVE_STANDALONE_CONTAINER:
case authorization::RUN_TASK:
case authorization::SET_LOG_LEVEL:
case authorization::START_MAINTENANCE:
@@ -895,6 +906,7 @@ public:
case authorization::VIEW_FRAMEWORK:
case authorization::VIEW_TASK:
case authorization::WAIT_NESTED_CONTAINER:
+ case authorization::WAIT_STANDALONE_CONTAINER:
UNREACHABLE();
}
@@ -1043,9 +1055,12 @@ public:
case authorization::GET_MAINTENANCE_SCHEDULE:
case authorization::GET_MAINTENANCE_STATUS:
case authorization::KILL_NESTED_CONTAINER:
+ case authorization::KILL_STANDALONE_CONTAINER:
+ case authorization::LAUNCH_STANDALONE_CONTAINER:
case authorization::MARK_AGENT_GONE:
case authorization::REGISTER_AGENT:
case authorization::REMOVE_NESTED_CONTAINER:
+ case authorization::REMOVE_STANDALONE_CONTAINER:
case authorization::RUN_TASK:
case authorization::SET_LOG_LEVEL:
case authorization::START_MAINTENANCE:
@@ -1059,6 +1074,7 @@ public:
case authorization::VIEW_FRAMEWORK:
case authorization::VIEW_TASK:
case authorization::WAIT_NESTED_CONTAINER:
+ case authorization::WAIT_STANDALONE_CONTAINER:
case authorization::UNKNOWN: {
Result<vector<GenericACL>> genericACLs =
createGenericACLs(action, acls);
@@ -1348,6 +1364,50 @@ private:
}
return acls_;
+ case authorization::LAUNCH_STANDALONE_CONTAINER:
+ foreach (const ACL::LaunchStandaloneContainer& acl,
+ acls.launch_standalone_container()) {
+ GenericACL acl_;
+ acl_.subjects = acl.principals();
+ acl_.objects = acl.users();
+
+ acls_.push_back(acl_);
+ }
+
+ return acls_;
+ case authorization::KILL_STANDALONE_CONTAINER:
+ foreach (const ACL::KillStandaloneContainer& acl,
+ acls.kill_standalone_container()) {
+ GenericACL acl_;
+ acl_.subjects = acl.principals();
+ acl_.objects = acl.users();
+
+ acls_.push_back(acl_);
+ }
+
+ return acls_;
+ case authorization::WAIT_STANDALONE_CONTAINER:
+ foreach (const ACL::WaitStandaloneContainer& acl,
+ acls.wait_standalone_container()) {
+ GenericACL acl_;
+ acl_.subjects = acl.principals();
+ acl_.objects = acl.users();
+
+ acls_.push_back(acl_);
+ }
+
+ return acls_;
+ case authorization::REMOVE_STANDALONE_CONTAINER:
+ foreach (const ACL::RemoveStandaloneContainer& acl,
+ acls.remove_standalone_container()) {
+ GenericACL acl_;
+ acl_.subjects = acl.principals();
+ acl_.objects = acl.users();
+
+ acls_.push_back(acl_);
+ }
+
+ return acls_;
case authorization::REGISTER_FRAMEWORK:
case authorization::CREATE_VOLUME:
case authorization::RESERVE_RESOURCES:
@@ -1479,6 +1539,38 @@ Option<Error> LocalAuthorizer::validate(const ACLs& acls)
}
}
+ foreach (const ACL::LaunchStandaloneContainer& acl,
+ acls.launch_standalone_container()) {
+ if (acl.users().type() == ACL::Entity::SOME) {
+ return Error(
+ "acls.launch_standalone_container type must be either NONE or ANY");
+ }
+ }
+
+ foreach (const ACL::KillStandaloneContainer& acl,
+ acls.kill_standalone_container()) {
+ if (acl.users().type() == ACL::Entity::SOME) {
+ return Error(
+ "acls.kill_standalone_container type must be either NONE or ANY");
+ }
+ }
+
+ foreach (const ACL::WaitStandaloneContainer& acl,
+ acls.wait_standalone_container()) {
+ if (acl.users().type() == ACL::Entity::SOME) {
+ return Error(
+ "acls.wait_standalone_container type must be either NONE or ANY");
+ }
+ }
+
+ foreach (const ACL::RemoveStandaloneContainer& acl,
+ acls.remove_standalone_container()) {
+ if (acl.users().type() == ACL::Entity::SOME) {
+ return Error(
+ "acls.remove_standalone_container type must be either NONE or ANY");
+ }
+ }
+
// TODO(alexr): Consider validating not only protobuf, but also the original
// JSON in order to spot misspelled names. A misspelled action may affect
// authorization result and hence lead to a security issue (e.g. when there