You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by me...@apache.org on 2016/12/14 03:37:23 UTC

[3/4] mesos git commit: Enabled authorization for the GET_FLAGS API Call.

Enabled authorization for the GET_FLAGS API Call.

Adds the stub which allows for restriction of users when attempting
to access the `GET_FLAGS` API v1 call.

Review: https://reviews.apache.org/r/54661/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/77b66ba1
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/77b66ba1
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/77b66ba1

Branch: refs/heads/master
Commit: 77b66ba1b4826ce5f84f675ad2363b8bc3b5d73f
Parents: 982abdb
Author: Alexander Rojas <al...@mesosphere.io>
Authored: Tue Dec 13 17:29:13 2016 -0800
Committer: Adam B <ad...@mesosphere.io>
Committed: Tue Dec 13 17:30:26 2016 -0800

----------------------------------------------------------------------
 src/slave/http.cpp | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/77b66ba1/src/slave/http.cpp
----------------------------------------------------------------------
diff --git a/src/slave/http.cpp b/src/slave/http.cpp
index 0210379..6784fc5 100644
--- a/src/slave/http.cpp
+++ b/src/slave/http.cpp
@@ -755,9 +755,36 @@ Future<Response> Slave::Http::getFlags(
 {
   CHECK_EQ(agent::Call::GET_FLAGS, call.type());
 
-  return OK(serialize(acceptType,
-                      evolve<v1::agent::Response::GET_FLAGS>(_flags())),
+  Future<Owned<ObjectApprover>> approver;
+
+  if (slave->authorizer.isSome()) {
+    authorization::Subject subject;
+    if (principal.isSome()) {
+      subject.set_value(principal.get());
+    }
+
+    approver = slave->authorizer.get()->getObjectApprover(
+        subject, authorization::VIEW_FLAGS);
+  } else {
+    approver = Owned<ObjectApprover>(new AcceptingObjectApprover());
+  }
+
+  return approver.then(defer(slave->self(),
+      [this, acceptType](
+          const Owned<ObjectApprover>& approver) -> Future<Response> {
+        Try<bool> approved = approver->approved(ObjectApprover::Object());
+
+        if (approved.isError()) {
+          return InternalServerError(approved.error());
+        } else if (!approved.get()) {
+          return Forbidden();
+        }
+
+        return OK(
+            serialize(
+                acceptType, evolve<v1::agent::Response::GET_FLAGS>(_flags())),
             stringify(acceptType));
+      }));
 }