You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/02/26 20:43:18 UTC
[3/6] mesos git commit: Changed object of `CreateVolume` ACL to
`roles`.
Changed object of `CreateVolume` ACL to `roles`.
This solves a problem in which any principal could create volumes for
any role using the '/create-volumes' operator endpoint.
Review: https://reviews.apache.org/r/43782/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/5dc9f563
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/5dc9f563
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/5dc9f563
Branch: refs/heads/master
Commit: 5dc9f563818c72b35571a9a0a7d62a577769d772
Parents: 082ab0e
Author: Greg Mann <gr...@mesosphere.io>
Authored: Fri Feb 26 11:42:39 2016 -0800
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Feb 26 11:42:39 2016 -0800
----------------------------------------------------------------------
include/mesos/authorizer/authorizer.proto | 8 +--
src/authorizer/local/authorizer.cpp | 4 +-
src/master/master.cpp | 13 +++-
src/tests/authorization_tests.cpp | 63 +++++++++++++-------
src/tests/persistent_volume_endpoints_tests.cpp | 18 +++---
src/tests/persistent_volume_tests.cpp | 20 +++----
6 files changed, 74 insertions(+), 52 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/5dc9f563/include/mesos/authorizer/authorizer.proto
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto
index c9fc237..84d2cb3 100644
--- a/include/mesos/authorizer/authorizer.proto
+++ b/include/mesos/authorizer/authorizer.proto
@@ -98,15 +98,13 @@ message ACL {
required Entity reserver_principals = 2;
}
- // Specifies what types of volumes, if any, a principal can create.
+ // Specifies which roles a principal can create volumes for.
message CreateVolume {
// Subjects: Framework principal or Operator username.
required Entity principals = 1;
- // Objects: The principal(s) can create volumes of these types.
- // NOTE: Currently, the only valid values in the default authorizer
- // implementation are ANY and NONE.
- required Entity volume_types = 2;
+ // Objects: The principal(s) can create volumes for these roles.
+ required Entity roles = 2;
}
// Specifies which principals can destroy volumes
http://git-wip-us.apache.org/repos/asf/mesos/blob/5dc9f563/src/authorizer/local/authorizer.cpp
----------------------------------------------------------------------
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index ebb0ec8..a1486bd 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -138,10 +138,10 @@ public:
foreach (const ACL::CreateVolume& acl, acls.create_volumes()) {
// ACL matches if both subjects and objects match.
if (matches(request.principals(), acl.principals()) &&
- matches(request.volume_types(), acl.volume_types())) {
+ matches(request.roles(), acl.roles())) {
// ACL is allowed if both subjects and objects are allowed.
return allows(request.principals(), acl.principals()) &&
- allows(request.volume_types(), acl.volume_types());
+ allows(request.roles(), acl.roles());
}
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/5dc9f563/src/master/master.cpp
----------------------------------------------------------------------
diff --git a/src/master/master.cpp b/src/master/master.cpp
index 5522a44..1e64133 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -2926,9 +2926,16 @@ Future<bool> Master::authorizeCreateVolume(
request.mutable_principals()->set_type(ACL::Entity::ANY);
}
- // TODO(greggomann): Determine what `volume_types` we may want to
- // allow/prevent creation of. Currently, we simply use ANY.
- request.mutable_volume_types()->set_type(ACL::Entity::ANY);
+ // The operation will be authorized if the principal is allowed to create
+ // volumes for all roles included in `create.volumes`.
+ // Add an element to `request.roles` for each unique role in the volumes.
+ hashset<string> roles;
+ foreach (const Resource& volume, create.volumes()) {
+ if (!roles.contains(volume.role())) {
+ request.mutable_roles()->add_values(volume.role());
+ roles.insert(volume.role());
+ }
+ }
LOG(INFO)
<< "Authorizing principal '"
http://git-wip-us.apache.org/repos/asf/mesos/blob/5dc9f563/src/tests/authorization_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/authorization_tests.cpp b/src/tests/authorization_tests.cpp
index 27061f1..2b22970 100644
--- a/src/tests/authorization_tests.cpp
+++ b/src/tests/authorization_tests.cpp
@@ -551,27 +551,30 @@ TYPED_TEST(AuthorizationTest, Unreserve)
}
-// This tests the authorization of ACLs used for the creation
-// of persistent volumes.
+// Tests the authorization of ACLs used for the creation of persistent volumes.
TYPED_TEST(AuthorizationTest, CreateVolume)
{
ACLs acls;
- // "foo" and "bar" principals can create any volumes.
+ // Principal "foo" can create volumes for any role.
mesos::ACL::CreateVolume* acl1 = acls.add_create_volumes();
acl1->mutable_principals()->add_values("foo");
- acl1->mutable_principals()->add_values("bar");
- acl1->mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ acl1->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
- // "baz" principal cannot create volumes.
+ // Principal "bar" can only create volumes for the "panda" role.
mesos::ACL::CreateVolume* acl2 = acls.add_create_volumes();
- acl2->mutable_principals()->add_values("baz");
- acl2->mutable_volume_types()->set_type(mesos::ACL::Entity::NONE);
+ acl2->mutable_principals()->add_values("bar");
+ acl2->mutable_roles()->add_values("panda");
- // No other principals can create volumes.
+ // Principal "baz" cannot create volumes.
mesos::ACL::CreateVolume* acl3 = acls.add_create_volumes();
- acl3->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
- acl3->mutable_volume_types()->set_type(mesos::ACL::Entity::NONE);
+ acl3->mutable_principals()->add_values("baz");
+ acl3->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
+
+ // No other principals can create volumes.
+ mesos::ACL::CreateVolume* acl4 = acls.add_create_volumes();
+ acl4->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
+ acl4->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
// Create an Authorizer with the ACLs.
Try<Authorizer*> create = TypeParam::create();
@@ -581,26 +584,40 @@ TYPED_TEST(AuthorizationTest, CreateVolume)
Try<Nothing> initialized = authorizer.get()->initialize(acls);
ASSERT_SOME(initialized);
- // Principals "foo" and "bar" can create volumes, so this request will pass.
+ // Principal "foo" can create volumes for any role, so this request will pass.
mesos::ACL::CreateVolume request1;
request1.mutable_principals()->add_values("foo");
- request1.mutable_principals()->add_values("bar");
- request1.mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ request1.mutable_roles()->add_values("awesome_role");
AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request1));
- // Principal "baz" cannot create volumes, so this request will fail.
+ // Principal "bar" can create volumes for the "panda" role,
+ // so this request will pass.
mesos::ACL::CreateVolume request2;
- request2.mutable_principals()->add_values("baz");
- request2.mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
- AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request2));
+ request2.mutable_principals()->add_values("bar");
+ request2.mutable_roles()->add_values("panda");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorize(request2));
- // Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
- // will be caught by the final ACL, which provides a default case that denies
- // access for all other principals. This case will fail.
+ // Principal "bar" cannot create volumes for the "giraffe" role,
+ // so this request will fail.
mesos::ACL::CreateVolume request3;
- request3.mutable_principals()->add_values("zelda");
- request3.mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ request3.mutable_principals()->add_values("bar");
+ request3.mutable_roles()->add_values("giraffe");
AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request3));
+
+ // Principal "baz" cannot create volumes for any role,
+ // so this request will fail.
+ mesos::ACL::CreateVolume request4;
+ request4.mutable_principals()->add_values("baz");
+ request4.mutable_roles()->add_values("panda");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request4));
+
+ // Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
+ // will be caught by the final ACL, which provides a default case that denies
+ // access for all other principals. This request will fail.
+ mesos::ACL::CreateVolume request5;
+ request5.mutable_principals()->add_values("zelda");
+ request5.mutable_roles()->add_values("panda");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorize(request5));
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/5dc9f563/src/tests/persistent_volume_endpoints_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/persistent_volume_endpoints_tests.cpp b/src/tests/persistent_volume_endpoints_tests.cpp
index 6069ca1..270bb1a 100644
--- a/src/tests/persistent_volume_endpoints_tests.cpp
+++ b/src/tests/persistent_volume_endpoints_tests.cpp
@@ -720,10 +720,10 @@ TEST_F(PersistentVolumeEndpointsTest, GoodCreateAndDestroyACL)
ACLs acls;
// This ACL asserts that the principal of `DEFAULT_CREDENTIAL`
- // can create ANY volumes.
+ // can create volumes for any role.
mesos::ACL::CreateVolume* create = acls.add_create_volumes();
create->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());
- create->mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ create->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// This ACL asserts that the principal of `DEFAULT_CREDENTIAL`
// can destroy volumes that it created.
@@ -846,13 +846,13 @@ TEST_F(PersistentVolumeEndpointsTest, BadCreateAndDestroyACL)
mesos::ACL::CreateVolume* cannotCreate = acls.add_create_volumes();
cannotCreate->mutable_principals()->add_values(
DEFAULT_CREDENTIAL.principal());
- cannotCreate->mutable_volume_types()->set_type(mesos::ACL::Entity::NONE);
+ cannotCreate->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
// This ACL asserts that the principal of `DEFAULT_CREDENTIAL_2`
- // can create persistent volumes.
+ // can create persistent volumes for any role.
mesos::ACL::CreateVolume* canCreate = acls.add_create_volumes();
canCreate->mutable_principals()->add_values(DEFAULT_CREDENTIAL_2.principal());
- canCreate->mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ canCreate->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// This ACL asserts that the principal of `DEFAULT_CREDENTIAL`
// cannot destroy persistent volumes.
@@ -967,10 +967,10 @@ TEST_F(PersistentVolumeEndpointsTest, GoodCreateAndDestroyACLBadCredential)
ACLs acls;
// This ACL asserts that the principal of `failedCredential`
- // can create persistent volumes.
+ // can create persistent volumes for any role.
mesos::ACL::CreateVolume* failedCreate = acls.add_create_volumes();
failedCreate->mutable_principals()->add_values(failedCredential.principal());
- failedCreate->mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ failedCreate->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// This ACL asserts that the principal of `failedCredential`
// can destroy persistent volumes.
@@ -980,10 +980,10 @@ TEST_F(PersistentVolumeEndpointsTest, GoodCreateAndDestroyACLBadCredential)
mesos::ACL::Entity::ANY);
// This ACL asserts that the principal of `DEFAULT_CREDENTIAL`
- // can create persistent volumes.
+ // can create persistent volumes for any role.
mesos::ACL::CreateVolume* canCreate = acls.add_create_volumes();
canCreate->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());
- canCreate->mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ canCreate->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// Create a master.
master::Flags masterFlags = CreateMasterFlags();
http://git-wip-us.apache.org/repos/asf/mesos/blob/5dc9f563/src/tests/persistent_volume_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/persistent_volume_tests.cpp b/src/tests/persistent_volume_tests.cpp
index e169e1b..bf19c81 100644
--- a/src/tests/persistent_volume_tests.cpp
+++ b/src/tests/persistent_volume_tests.cpp
@@ -829,10 +829,10 @@ TEST_P(PersistentVolumeTest, GoodACLCreateThenDestroy)
ACLs acls;
// This ACL declares that the principal of `DEFAULT_CREDENTIAL`
- // can create any persistent volumes.
+ // can create persistent volumes for any role.
mesos::ACL::CreateVolume* create = acls.add_create_volumes();
create->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal());
- create->mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ create->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// This ACL declares that the principal of `DEFAULT_CREDENTIAL`
// can destroy its own persistent volumes.
@@ -973,10 +973,10 @@ TEST_P(PersistentVolumeTest, GoodACLNoPrincipal)
ACLs acls;
// This ACL declares that any principal (and also frameworks without a
- // principal) can create persistent volumes.
+ // principal) can create persistent volumes for any role.
mesos::ACL::CreateVolume* create = acls.add_create_volumes();
create->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
- create->mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ create->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// This ACL declares that any principal (and also frameworks without a
// principal) can destroy persistent volumes.
@@ -1121,16 +1121,16 @@ TEST_P(PersistentVolumeTest, BadACLNoPrincipal)
ACLs acls;
// This ACL declares that the principal of `DEFAULT_FRAMEWORK_INFO`
- // can create persistent volumes.
+ // can create persistent volumes for any role.
mesos::ACL::CreateVolume* create1 = acls.add_create_volumes();
create1->mutable_principals()->add_values(DEFAULT_FRAMEWORK_INFO.principal());
- create1->mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ create1->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// This ACL declares that any other principals
// cannot create persistent volumes.
mesos::ACL::CreateVolume* create2 = acls.add_create_volumes();
create2->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
- create2->mutable_volume_types()->set_type(mesos::ACL::Entity::NONE);
+ create2->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
// We use this filter so that resources will not
// be filtered for 5 seconds (the default).
@@ -1321,16 +1321,16 @@ TEST_P(PersistentVolumeTest, BadACLDropCreateAndDestroy)
ACLs acls;
// This ACL declares that the principal 'creator-principal'
- // can create persistent volumes.
+ // can create persistent volumes for any role.
mesos::ACL::CreateVolume* create1 = acls.add_create_volumes();
create1->mutable_principals()->add_values("creator-principal");
- create1->mutable_volume_types()->set_type(mesos::ACL::Entity::ANY);
+ create1->mutable_roles()->set_type(mesos::ACL::Entity::ANY);
// This ACL declares that all other principals
// cannot create any persistent volumes.
mesos::ACL::CreateVolume* create = acls.add_create_volumes();
create->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
- create->mutable_volume_types()->set_type(mesos::ACL::Entity::NONE);
+ create->mutable_roles()->set_type(mesos::ACL::Entity::NONE);
// We use the filter explicitly here so that the resources will not
// be filtered for 5 seconds (the default).