You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by me...@apache.org on 2016/11/16 10:00:07 UTC
[1/3] mesos git commit: Added tests for whole protobuf message based
authorization.
Repository: mesos
Updated Branches:
refs/heads/master 40c2e5ffb -> 0423d989a
Added tests for whole protobuf message based authorization.
Adds tests for the authorization of the authorization request
which makes use of whole protobuf messages.
Review: https://reviews.apache.org/r/53058/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/0423d989
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/0423d989
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/0423d989
Branch: refs/heads/master
Commit: 0423d989a1d6b49aa383c0e40cd30e5df6043c57
Parents: 181c89d
Author: Alexander Rojas <al...@mesosphere.io>
Authored: Tue Nov 15 19:05:12 2016 -0800
Committer: Adam B <ad...@mesosphere.io>
Committed: Wed Nov 16 01:55:03 2016 -0800
----------------------------------------------------------------------
src/tests/authorization_tests.cpp | 273 +++++++++++++++++++++++++++++++++
1 file changed, 273 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/0423d989/src/tests/authorization_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/authorization_tests.cpp b/src/tests/authorization_tests.cpp
index 5d7e17b..d23f551 100644
--- a/src/tests/authorization_tests.cpp
+++ b/src/tests/authorization_tests.cpp
@@ -671,11 +671,25 @@ TYPED_TEST(AuthorizationTest, AnyPrincipalOfferedRole)
}
{
authorization::Request request;
+ request.set_action(authorization::REGISTER_FRAMEWORK);
+ request.mutable_subject()->set_value("foo");
+ request.mutable_object()->mutable_framework_info()->set_role("*");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
+ {
+ authorization::Request request;
request.set_action(authorization::REGISTER_FRAMEWORK_WITH_ROLE);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("*");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::REGISTER_FRAMEWORK);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_framework_info()->set_role("*");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
}
@@ -707,6 +721,13 @@ TYPED_TEST(AuthorizationTest, SomePrincipalsOfferedRole)
}
{
authorization::Request request;
+ request.set_action(authorization::REGISTER_FRAMEWORK);
+ request.mutable_subject()->set_value("foo");
+ request.mutable_object()->mutable_framework_info()->set_role("ads");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
+ {
+ authorization::Request request;
request.set_action(authorization::REGISTER_FRAMEWORK_WITH_ROLE);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("ads");
@@ -714,11 +735,25 @@ TYPED_TEST(AuthorizationTest, SomePrincipalsOfferedRole)
}
{
authorization::Request request;
+ request.set_action(authorization::REGISTER_FRAMEWORK);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_framework_info()->set_role("ads");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
+ {
+ authorization::Request request;
request.set_action(authorization::REGISTER_FRAMEWORK_WITH_ROLE);
request.mutable_subject()->set_value("baz");
request.mutable_object()->set_value("ads");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::REGISTER_FRAMEWORK);
+ request.mutable_subject()->set_value("baz");
+ request.mutable_object()->mutable_framework_info()->set_role("ads");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
}
@@ -754,6 +789,13 @@ TYPED_TEST(AuthorizationTest, PrincipalOfferedRole)
request.mutable_object()->set_value("analytics");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::REGISTER_FRAMEWORK);
+ request.mutable_subject()->set_value("foo");
+ request.mutable_object()->mutable_framework_info()->set_role("analytics");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
// Principal "bar" cannot be offered "analytics" role's resources.
{
@@ -763,6 +805,13 @@ TYPED_TEST(AuthorizationTest, PrincipalOfferedRole)
request.mutable_object()->set_value("analytics");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::REGISTER_FRAMEWORK);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_framework_info()->set_role("analytics");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
}
@@ -791,6 +840,13 @@ TYPED_TEST(AuthorizationTest, PrincipalNotOfferedAnyRoleRestrictive)
request.mutable_object()->set_value("analytics");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::REGISTER_FRAMEWORK);
+ request.mutable_subject()->set_value("foo");
+ request.mutable_object()->mutable_framework_info()->set_role("analytics");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
// Principal "bar" cannot be offered "analytics" role's resources.
{
@@ -800,6 +856,13 @@ TYPED_TEST(AuthorizationTest, PrincipalNotOfferedAnyRoleRestrictive)
request.mutable_object()->set_value("analytics");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::REGISTER_FRAMEWORK);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_framework_info()->set_role("analytics");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
// Principal "bar" cannot be offered "ads" role's resources because no ACL.
{
@@ -809,6 +872,13 @@ TYPED_TEST(AuthorizationTest, PrincipalNotOfferedAnyRoleRestrictive)
request.mutable_object()->set_value("ads");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::REGISTER_FRAMEWORK);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_framework_info()->set_role("ads");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
}
@@ -853,6 +923,13 @@ TYPED_TEST(AuthorizationTest, Reserve)
request.mutable_object()->set_value("bar");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::RESERVE_RESOURCES);
+ request.mutable_subject()->set_value("foo");
+ request.mutable_object()->mutable_resource()->set_role("bar");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
{
authorization::Request request;
@@ -863,11 +940,25 @@ TYPED_TEST(AuthorizationTest, Reserve)
}
{
authorization::Request request;
+ request.set_action(authorization::RESERVE_RESOURCES);
+ request.mutable_subject()->set_value("foo");
+ request.mutable_object()->mutable_resource()->set_role("awesome_role");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
+ {
+ authorization::Request request;
request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE);
request.mutable_subject()->set_value("bar");
request.mutable_object()->set_value("awesome_role");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::RESERVE_RESOURCES);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_resource()->set_role("awesome_role");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
// Principal "baz" can only reserve resources for the "ads" role, so request 3
// will pass, but requests 4 and 5 will fail.
@@ -878,6 +969,13 @@ TYPED_TEST(AuthorizationTest, Reserve)
request.mutable_object()->set_value("ads");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::RESERVE_RESOURCES);
+ request.mutable_subject()->set_value("baz");
+ request.mutable_object()->mutable_resource()->set_role("ads");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
{
authorization::Request request;
@@ -886,6 +984,13 @@ TYPED_TEST(AuthorizationTest, Reserve)
request.mutable_object()->set_value("awesome_role");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::RESERVE_RESOURCES);
+ request.mutable_subject()->set_value("baz");
+ request.mutable_object()->mutable_resource()->set_role("awesome_role");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
{
authorization::Request request;
@@ -893,6 +998,12 @@ TYPED_TEST(AuthorizationTest, Reserve)
request.mutable_subject()->set_value("baz");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::RESERVE_RESOURCES);
+ request.mutable_subject()->set_value("baz");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
// Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
// will be caught by the final ACL, which provides a default case that denies
@@ -904,6 +1015,13 @@ TYPED_TEST(AuthorizationTest, Reserve)
request.mutable_object()->set_value("ads");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::RESERVE_RESOURCES);
+ request.mutable_subject()->set_value("zelda");
+ request.mutable_object()->mutable_resource()->set_role("ads");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
}
@@ -954,6 +1072,14 @@ TYPED_TEST(AuthorizationTest, Unreserve)
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::UNRESERVE_RESOURCES);
+ request.mutable_subject()->set_value("foo");
+ request.mutable_object()->mutable_resource()
+ ->mutable_reservation()->set_principal("foo");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
// Principal "bar" cannot unreserve anyone's
// resources, so requests 2 and 3 will fail.
@@ -964,6 +1090,14 @@ TYPED_TEST(AuthorizationTest, Unreserve)
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::UNRESERVE_RESOURCES);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_resource()
+ ->mutable_reservation()->set_principal("foo");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
{
authorization::Request request;
@@ -972,6 +1106,14 @@ TYPED_TEST(AuthorizationTest, Unreserve)
request.mutable_object()->set_value("bar");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::UNRESERVE_RESOURCES);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_resource()
+ ->mutable_reservation()->set_principal("bar");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
// Principal "ops" can unreserve anyone's resources,
// so requests 4 and 5 will succeed.
@@ -982,6 +1124,14 @@ TYPED_TEST(AuthorizationTest, Unreserve)
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::UNRESERVE_RESOURCES);
+ request.mutable_subject()->set_value("ops");
+ request.mutable_object()->mutable_resource()
+ ->mutable_reservation()->set_principal("foo");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
{
authorization::Request request;
@@ -992,6 +1142,14 @@ TYPED_TEST(AuthorizationTest, Unreserve)
}
{
authorization::Request request;
+ request.set_action(authorization::UNRESERVE_RESOURCES);
+ request.mutable_subject()->set_value("ops");
+ request.mutable_object()->mutable_resource()
+ ->mutable_reservation()->set_principal("foo");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
+ {
+ authorization::Request request;
request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
request.mutable_subject()->set_value("ops");
request.mutable_object()->set_value("bar");
@@ -999,11 +1157,27 @@ TYPED_TEST(AuthorizationTest, Unreserve)
}
{
authorization::Request request;
+ request.set_action(authorization::UNRESERVE_RESOURCES);
+ request.mutable_subject()->set_value("ops");
+ request.mutable_object()->mutable_resource()
+ ->mutable_reservation()->set_principal("bar");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
+ {
+ authorization::Request request;
request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
request.mutable_subject()->set_value("ops");
request.mutable_object()->set_value("ops");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::UNRESERVE_RESOURCES);
+ request.mutable_subject()->set_value("ops");
+ request.mutable_object()->mutable_resource()
+ ->mutable_reservation()->set_principal("ops");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
// Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
// will be caught by the final ACL, which provides a default case that denies
@@ -1015,6 +1189,14 @@ TYPED_TEST(AuthorizationTest, Unreserve)
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::UNRESERVE_RESOURCES);
+ request.mutable_subject()->set_value("zelda");
+ request.mutable_object()->mutable_resource()
+ ->mutable_reservation()->set_principal("foo");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
}
@@ -1064,6 +1246,13 @@ TYPED_TEST(AuthorizationTest, CreateVolume)
request.mutable_object()->set_value("awesome_role");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::CREATE_VOLUME);
+ request.mutable_subject()->set_value("foo");
+ request.mutable_object()->mutable_resource()->set_role("awesome_role");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
// Principal "bar" can create volumes for the "panda" role,
// so this request will pass.
@@ -1074,6 +1263,13 @@ TYPED_TEST(AuthorizationTest, CreateVolume)
request.mutable_object()->set_value("panda");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::CREATE_VOLUME);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_resource()->set_role("panda");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
// Principal "bar" cannot create volumes for the "giraffe" role,
// so this request will fail.
@@ -1084,6 +1280,13 @@ TYPED_TEST(AuthorizationTest, CreateVolume)
request.mutable_object()->set_value("giraffe");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::CREATE_VOLUME);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_resource()->set_role("giraffe");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
// Principal "baz" cannot create volumes for any role,
// so this request will fail.
@@ -1094,6 +1297,13 @@ TYPED_TEST(AuthorizationTest, CreateVolume)
request.mutable_object()->set_value("panda");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::CREATE_VOLUME);
+ request.mutable_subject()->set_value("baz");
+ request.mutable_object()->mutable_resource()->set_role("panda");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
// Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
// will be caught by the final ACL, which provides a default case that denies
@@ -1105,6 +1315,13 @@ TYPED_TEST(AuthorizationTest, CreateVolume)
request.mutable_object()->set_value("panda");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::CREATE_VOLUME);
+ request.mutable_subject()->set_value("zelda");
+ request.mutable_object()->mutable_resource()->set_role("panda");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
}
@@ -1155,6 +1372,14 @@ TYPED_TEST(AuthorizationTest, DestroyVolume)
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::DESTROY_VOLUME);
+ request.mutable_subject()->set_value("foo");
+ request.mutable_object()->mutable_resource()->mutable_disk()
+ ->mutable_persistence()->set_principal("foo");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
// Principal "bar" cannot destroy anyone's
// volumes, so requests 2 and 3 will fail.
@@ -1165,6 +1390,14 @@ TYPED_TEST(AuthorizationTest, DestroyVolume)
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::DESTROY_VOLUME);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_resource()->mutable_disk()
+ ->mutable_persistence()->set_principal("foo");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
{
authorization::Request request;
@@ -1173,6 +1406,14 @@ TYPED_TEST(AuthorizationTest, DestroyVolume)
request.mutable_object()->set_value("bar");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::DESTROY_VOLUME);
+ request.mutable_subject()->set_value("bar");
+ request.mutable_object()->mutable_resource()->mutable_disk()
+ ->mutable_persistence()->set_principal("bar");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
// Principal "ops" can destroy anyone's volumes,
// so requests 4 and 5 will succeed.
@@ -1183,6 +1424,14 @@ TYPED_TEST(AuthorizationTest, DestroyVolume)
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::DESTROY_VOLUME);
+ request.mutable_subject()->set_value("ops");
+ request.mutable_object()->mutable_resource()->mutable_disk()
+ ->mutable_persistence()->set_principal("foo");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
{
authorization::Request request;
@@ -1193,11 +1442,27 @@ TYPED_TEST(AuthorizationTest, DestroyVolume)
}
{
authorization::Request request;
+ request.set_action(authorization::DESTROY_VOLUME);
+ request.mutable_subject()->set_value("ops");
+ request.mutable_object()->mutable_resource()->mutable_disk()
+ ->mutable_persistence()->set_principal("ops");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
+ {
+ authorization::Request request;
request.set_action(authorization::DESTROY_VOLUME_WITH_PRINCIPAL);
request.mutable_subject()->set_value("ops");
request.mutable_object()->set_value("bar");
AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::DESTROY_VOLUME);
+ request.mutable_subject()->set_value("ops");
+ request.mutable_object()->mutable_resource()->mutable_disk()
+ ->mutable_persistence()->set_principal("bar");
+ AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+ }
// Principal "zelda" is not mentioned in the ACLs of the Authorizer, so it
// will be caught by the final ACL, which provides a default case that denies
@@ -1209,6 +1474,14 @@ TYPED_TEST(AuthorizationTest, DestroyVolume)
request.mutable_object()->set_value("foo");
AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
}
+ {
+ authorization::Request request;
+ request.set_action(authorization::DESTROY_VOLUME);
+ request.mutable_subject()->set_value("zelda");
+ request.mutable_object()->mutable_resource()->mutable_disk()
+ ->mutable_persistence()->set_principal("foo");
+ AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+ }
}
Re: [3/3] mesos git commit: Enabled multiple field based
authorization in the authorizer interface.
Posted by Alex Rukletsov <al...@mesosphere.com>.
Fixed in
https://github.com/apache/mesos/commit/d2ab4b49d3cc0b86bacc5ec3400b46cfa70c3a7b
On Fri, Nov 18, 2016 at 4:48 AM, Benjamin Bannier <
benjamin.bannier@mesosphere.io> wrote:
> Hi,
>
> This introduces a possibly uninitialized member `weight_info` which
> Coverity immediately detected. I filed MESOS-6604 for that. Could you
> please take that on @Alexander?
>
>
> Cheers,
>
> Benjamin
>
> > On Nov 16, 2016, at 6:00 PM, me@apache.org wrote:
> >
> > Enabled multiple field based authorization in the authorizer interface.
> >
> > Updates the authorizer interfaces and well as the local authorizer,
> > such that all actions which were limited to use a _role_ or a
> > _principal_ as an object, are able to use whole protobuf messages
> > as objects. This change enables more sofisticated authorization
> > mechanisms.
> >
> > Review: https://reviews.apache.org/r/52600/
> >
> >
> > Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
> > Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/bc0e6d7b
> > Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/bc0e6d7b
> > Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/bc0e6d7b
> >
> > Branch: refs/heads/master
> > Commit: bc0e6d7b0b367e5ff67dd5f395e1e06938b02399
> > Parents: 40c2e5f
> > Author: Alexander Rojas <al...@mesosphere.io>
> > Authored: Tue Nov 15 19:04:25 2016 -0800
> > Committer: Adam B <ad...@mesosphere.io>
> > Committed: Wed Nov 16 01:55:03 2016 -0800
> >
> > ----------------------------------------------------------------------
> > include/mesos/authorizer/authorizer.hpp | 6 +-
> > include/mesos/authorizer/authorizer.proto | 54 ++++++++++++
> > src/authorizer/local/authorizer.cpp | 115
> +++++++++++++++++++++----
> > 3 files changed, 157 insertions(+), 18 deletions(-)
> > ----------------------------------------------------------------------
> >
> >
> > http://git-wip-us.apache.org/repos/asf/mesos/blob/bc0e6d7b/
> include/mesos/authorizer/authorizer.hpp
> > ----------------------------------------------------------------------
> > diff --git a/include/mesos/authorizer/authorizer.hpp
> b/include/mesos/authorizer/authorizer.hpp
> > index cb365c7..7217600 100644
> > --- a/include/mesos/authorizer/authorizer.hpp
> > +++ b/include/mesos/authorizer/authorizer.hpp
> > @@ -61,7 +61,9 @@ public:
> > task_info(object.has_task_info() ? &object.task_info() :
> nullptr),
> > executor_info(
> > object.has_executor_info() ? &object.executor_info() :
> nullptr),
> > - quota_info(object.has_quota_info() ? &object.quota_info() :
> nullptr) {}
> > + quota_info(object.has_quota_info() ? &object.quota_info() :
> nullptr),
> > + weight_info(object.has_weight_info() ? &object.weight_info() :
> nullptr),
> > + resource(object.has_resource() ? &object.resource() : nullptr)
> {}
> >
> > const std::string* value;
> > const FrameworkInfo* framework_info;
> > @@ -69,6 +71,8 @@ public:
> > const TaskInfo* task_info;
> > const ExecutorInfo* executor_info;
> > const quota::QuotaInfo* quota_info;
> > + const WeightInfo* weight_info;
> > + const Resource* resource;
> > };
> >
> > /**
> >
> > http://git-wip-us.apache.org/repos/asf/mesos/blob/bc0e6d7b/
> include/mesos/authorizer/authorizer.proto
> > ----------------------------------------------------------------------
> > diff --git a/include/mesos/authorizer/authorizer.proto
> b/include/mesos/authorizer/authorizer.proto
> > index b6a9f14..0696a62 100644
> > --- a/include/mesos/authorizer/authorizer.proto
> > +++ b/include/mesos/authorizer/authorizer.proto
> > @@ -46,11 +46,17 @@ message Object {
> > optional TaskInfo task_info = 4;
> > optional ExecutorInfo executor_info = 5;
> > optional quota.QuotaInfo quota_info = 6;
> > + optional WeightInfo weight_info = 7;
> > + optional Resource resource = 8;
> > }
> >
> >
> > // List of authorizable actions supported in Mesos.
> > +// NOTE: Values in this enum should be kept in
> > +// numerical order to prevent accidental aliasing.
> > enum Action {
> > + option allow_alias = true;
> > +
> > // This must be the first enum value in this list, to
> > // ensure that if 'type' is not set, the default value
> > // is UNKNOWN. This enables enum values to be added
> > @@ -58,19 +64,67 @@ enum Action {
> > UNKNOWN = 0;
> >
> > // Actions named *_WITH_foo may set a foo in `Object.value`.
> > +
> > + // `REGISTER_FRAMEWORK` will have an object with `FrameworkInfo` set.
> > + // The `_WITH_ROLE` alias is deprecated and will be removed after
> > + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> > + // to be set until that time.
> > + REGISTER_FRAMEWORK = 1;
> > REGISTER_FRAMEWORK_WITH_ROLE = 1;
> >
> > // `RUN_TASK` will have an object with `FrameworkInfo` and `TaskInfo`
> set.
> > RUN_TASK = 2;
> >
> > + // `TEARDOWN_FRAMEWORK` will have an object with `FrameworkInfo` set.
> > + // The `_WITH_PRINCIPAL` alias is deprecated and will be removed after
> > + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> > + // to be set until that time.
> > + TEARDOWN_FRAMEWORK = 3;
> > TEARDOWN_FRAMEWORK_WITH_PRINCIPAL = 3;
> > +
> > + // `RESERVE_RESOURCES` will have an object with `Resource` set.
> > + // The `_WITH_ROLE` alias is deprecated and will be removed after
> > + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> > + // to be set until that time.
> > + RESERVE_RESOURCES = 4;
> > RESERVE_RESOURCES_WITH_ROLE = 4;
> > +
> > + // `UNRESERVE_RESOURCES` will have an object with `Resource` set.
> > + // The `_WITH_PRINCIPAL` alias is deprecated and will be removed after
> > + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> > + // to be set until that time.
> > + UNRESERVE_RESOURCES = 5;
> > UNRESERVE_RESOURCES_WITH_PRINCIPAL = 5;
> > +
> > + // `CREATE_VOLUME` will have an object with `Resource` set.
> > + // The `_WITH_ROLE` alias is deprecated and will be removed after
> > + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> > + // to be set until that time.
> > + CREATE_VOLUME = 6;
> > CREATE_VOLUME_WITH_ROLE = 6;
> > +
> > + // `DESTROY_VOLUME` will have an object with `Resource` set.
> > + // The `_WITH_PRINCIPAL` alias is deprecated and will be removed after
> > + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> > + // to be set until that time.
> > + DESTROY_VOLUME = 7;
> > DESTROY_VOLUME_WITH_PRINCIPAL = 7;
> > +
> > GET_ENDPOINT_WITH_PATH = 8;
> > VIEW_ROLE = 9;
> > +
> > + // `UPDATE_WEIGHT` will have an object with `WeightInfo` set.
> > + // The `_WITH_ROLE` alias is deprecated and will be removed after
> > + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> > + // to be set until that time.
> > + UPDATE_WEIGHT = 10;
> > UPDATE_WEIGHT_WITH_ROLE = 10;
> > +
> > + // `GET_QUOTA` will have an object with `QuotaInfo` set.
> > + // The `_WITH_ROLE` alias is deprecated and will be removed after
> > + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> > + // to be set until that time.
> > + GET_QUOTA = 11;
> > GET_QUOTA_WITH_ROLE = 11;
> >
> > // `UPDATE_QUOTA` will have an object with a `QuotaInfo` set.
> >
> > http://git-wip-us.apache.org/repos/asf/mesos/blob/bc0e6d7b/
> src/authorizer/local/authorizer.cpp
> > ----------------------------------------------------------------------
> > diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/
> authorizer.cpp
> > index f1dff65..77e05dd 100644
> > --- a/src/authorizer/local/authorizer.cpp
> > +++ b/src/authorizer/local/authorizer.cpp
> > @@ -221,15 +221,7 @@ public:
> > } else {
> > switch (action_) {
> > // All actions using `object.value` for authorization.
> > - case authorization::REGISTER_FRAMEWORK_WITH_ROLE:
> > - case authorization::TEARDOWN_FRAMEWORK_WITH_PRINCIPAL:
> > - case authorization::RESERVE_RESOURCES_WITH_ROLE:
> > - case authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL:
> > - case authorization::CREATE_VOLUME_WITH_ROLE:
> > - case authorization::DESTROY_VOLUME_WITH_PRINCIPAL:
> > - case authorization::GET_QUOTA_WITH_ROLE:
> > case authorization::VIEW_ROLE:
> > - case authorization::UPDATE_WEIGHT_WITH_ROLE:
> > case authorization::GET_ENDPOINT_WITH_PATH: {
> > // Check object has the required types set.
> > CHECK_NOTNULL(object->value);
> > @@ -239,6 +231,92 @@ public:
> >
> > break;
> > }
> > + case authorization::REGISTER_FRAMEWORK: {
> > + aclObject.set_type(mesos::ACL::Entity::SOME);
> > + if (object->framework_info) {
> > + aclObject.add_values(object->framework_info->role());
> > + } else if (object->value) {
> > + aclObject.add_values(*(object->value));
> > + } else {
> > + aclObject.set_type(mesos::ACL::Entity::ANY);
> > + }
> > +
> > + break;
> > + }
> > + case authorization::TEARDOWN_FRAMEWORK: {
> > + aclObject.set_type(mesos::ACL::Entity::SOME);
> > + if (object->framework_info) {
> > + aclObject.add_values(object->framework_info->principal());
> > + } else if (object->value) {
> > + aclObject.add_values(*(object->value));
> > + } else {
> > + aclObject.set_type(mesos::ACL::Entity::ANY);
> > + }
> > +
> > + break;
> > + }
> > + case authorization::CREATE_VOLUME:
> > + case authorization::RESERVE_RESOURCES: {
> > + aclObject.set_type(mesos::ACL::Entity::SOME);
> > + if (object->resource) {
> > + aclObject.add_values(object->resource->role());
> > + } else if (object->value) {
> > + aclObject.add_values(*(object->value));
> > + } else {
> > + aclObject.set_type(mesos::ACL::Entity::ANY);
> > + }
> > +
> > + break;
> > + }
> > + case authorization::DESTROY_VOLUME: {
> > + aclObject.set_type(mesos::ACL::Entity::SOME);
> > + if (object->resource) {
> > + aclObject.add_values(
> > + object->resource->disk().persistence().principal());
> > + } else if (object->value) {
> > + aclObject.add_values(*(object->value));
> > + } else {
> > + aclObject.set_type(mesos::ACL::Entity::ANY);
> > + }
> > +
> > + break;
> > + }
> > + case authorization::UNRESERVE_RESOURCES: {
> > + aclObject.set_type(mesos::ACL::Entity::SOME);
> > + if (object->resource) {
> > + aclObject.add_values(object->resource->reservation().
> principal());
> > + } else if (object->value) {
> > + aclObject.add_values(*(object->value));
> > + } else {
> > + aclObject.set_type(mesos::ACL::Entity::ANY);
> > + }
> > +
> > + break;
> > + }
> > + case authorization::GET_QUOTA: {
> > + aclObject.set_type(mesos::ACL::Entity::SOME);
> > + if (object->quota_info) {
> > + aclObject.add_values(object->quota_info->role());
> > + } else if (object->value) {
> > + aclObject.add_values(*(object->value));
> > + } else {
> > + aclObject.set_type(mesos::ACL::Entity::ANY);
> > + }
> > +
> > + break;
> > + }
> > + case authorization::UPDATE_WEIGHT: {
> > + aclObject.set_type(mesos::ACL::Entity::SOME);
> > + if (object->weight_info) {
> > + aclObject.add_values(object->weight_info->role());
> > + } else if (object->value) {
> > + aclObject.add_values(*(object->value));
> > + } else {
> > + aclObject.set_type(mesos::ACL::Entity::ANY);
> > + }
> > +
> > + break;
> > + }
> > case authorization::RUN_TASK: {
> > aclObject.set_type(mesos::ACL::Entity::SOME);
> > if (object->task_info && object->task_info->has_command() &&
> > @@ -253,6 +331,7 @@ public:
> > } else {
> > aclObject.set_type(mesos::ACL::Entity::ANY);
> > }
> > +
> > break;
> > }
> > case authorization::ACCESS_MESOS_LOG: {
> > @@ -497,7 +576,7 @@ private:
> > vector<GenericACL> acls_;
> >
> > switch (action) {
> > - case authorization::REGISTER_FRAMEWORK_WITH_ROLE:
> > + case authorization::REGISTER_FRAMEWORK:
> > foreach (
> > const ACL::RegisterFramework& acl,
> acls.register_frameworks()) {
> > GenericACL acl_;
> > @@ -509,7 +588,7 @@ private:
> >
> > return acls_;
> > break;
> > - case authorization::TEARDOWN_FRAMEWORK_WITH_PRINCIPAL:
> > + case authorization::TEARDOWN_FRAMEWORK:
> > foreach (
> > const ACL::TeardownFramework& acl,
> acls.teardown_frameworks()) {
> > GenericACL acl_;
> > @@ -532,7 +611,7 @@ private:
> >
> > return acls_;
> > break;
> > - case authorization::RESERVE_RESOURCES_WITH_ROLE:
> > + case authorization::RESERVE_RESOURCES:
> > foreach (const ACL::ReserveResources& acl,
> acls.reserve_resources()) {
> > GenericACL acl_;
> > acl_.subjects = acl.principals();
> > @@ -543,7 +622,7 @@ private:
> >
> > return acls_;
> > break;
> > - case authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL:
> > + case authorization::UNRESERVE_RESOURCES:
> > foreach (
> > const ACL::UnreserveResources& acl,
> acls.unreserve_resources()) {
> > GenericACL acl_;
> > @@ -555,7 +634,7 @@ private:
> >
> > return acls_;
> > break;
> > - case authorization::CREATE_VOLUME_WITH_ROLE:
> > + case authorization::CREATE_VOLUME:
> > foreach (const ACL::CreateVolume& acl, acls.create_volumes()) {
> > GenericACL acl_;
> > acl_.subjects = acl.principals();
> > @@ -566,7 +645,7 @@ private:
> >
> > return acls_;
> > break;
> > - case authorization::DESTROY_VOLUME_WITH_PRINCIPAL:
> > + case authorization::DESTROY_VOLUME:
> > foreach (const ACL::DestroyVolume& acl, acls.destroy_volumes()) {
> > GenericACL acl_;
> > acl_.subjects = acl.principals();
> > @@ -577,7 +656,7 @@ private:
> >
> > return acls_;
> > break;
> > - case authorization::GET_QUOTA_WITH_ROLE:
> > + case authorization::GET_QUOTA:
> > foreach (const ACL::GetQuota& acl, acls.get_quotas()) {
> > GenericACL acl_;
> > acl_.subjects = acl.principals();
> > @@ -629,7 +708,7 @@ private:
> >
> > return acls_;
> > break;
> > - case authorization::UPDATE_WEIGHT_WITH_ROLE:
> > + case authorization::UPDATE_WEIGHT:
> > foreach (const ACL::UpdateWeight& acl, acls.update_weights()) {
> > GenericACL acl_;
> > acl_.subjects = acl.principals();
> > @@ -845,7 +924,9 @@ process::Future<bool> LocalAuthorizer::authorized(
> > request.object().has_task() ||
> > request.object().has_task_info() ||
> > request.object().has_executor_info() ||
> > - request.object().has_quota_info())));
> > + request.object().has_quota_info() ||
> > + request.object().has_weight_info() ||
> > + request.object().has_resource())));
> >
> > typedef Future<bool> (LocalAuthorizerProcess::*F)(
> > const authorization::Request&);
> >
>
>
Re: [3/3] mesos git commit: Enabled multiple field based
authorization in the authorizer interface.
Posted by Benjamin Bannier <be...@mesosphere.io>.
Hi,
This introduces a possibly uninitialized member `weight_info` which Coverity immediately detected. I filed MESOS-6604 for that. Could you please take that on @Alexander?
Cheers,
Benjamin
> On Nov 16, 2016, at 6:00 PM, me@apache.org wrote:
>
> Enabled multiple field based authorization in the authorizer interface.
>
> Updates the authorizer interfaces and well as the local authorizer,
> such that all actions which were limited to use a _role_ or a
> _principal_ as an object, are able to use whole protobuf messages
> as objects. This change enables more sofisticated authorization
> mechanisms.
>
> Review: https://reviews.apache.org/r/52600/
>
>
> Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
> Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/bc0e6d7b
> Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/bc0e6d7b
> Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/bc0e6d7b
>
> Branch: refs/heads/master
> Commit: bc0e6d7b0b367e5ff67dd5f395e1e06938b02399
> Parents: 40c2e5f
> Author: Alexander Rojas <al...@mesosphere.io>
> Authored: Tue Nov 15 19:04:25 2016 -0800
> Committer: Adam B <ad...@mesosphere.io>
> Committed: Wed Nov 16 01:55:03 2016 -0800
>
> ----------------------------------------------------------------------
> include/mesos/authorizer/authorizer.hpp | 6 +-
> include/mesos/authorizer/authorizer.proto | 54 ++++++++++++
> src/authorizer/local/authorizer.cpp | 115 +++++++++++++++++++++----
> 3 files changed, 157 insertions(+), 18 deletions(-)
> ----------------------------------------------------------------------
>
>
> http://git-wip-us.apache.org/repos/asf/mesos/blob/bc0e6d7b/include/mesos/authorizer/authorizer.hpp
> ----------------------------------------------------------------------
> diff --git a/include/mesos/authorizer/authorizer.hpp b/include/mesos/authorizer/authorizer.hpp
> index cb365c7..7217600 100644
> --- a/include/mesos/authorizer/authorizer.hpp
> +++ b/include/mesos/authorizer/authorizer.hpp
> @@ -61,7 +61,9 @@ public:
> task_info(object.has_task_info() ? &object.task_info() : nullptr),
> executor_info(
> object.has_executor_info() ? &object.executor_info() : nullptr),
> - quota_info(object.has_quota_info() ? &object.quota_info() : nullptr) {}
> + quota_info(object.has_quota_info() ? &object.quota_info() : nullptr),
> + weight_info(object.has_weight_info() ? &object.weight_info() : nullptr),
> + resource(object.has_resource() ? &object.resource() : nullptr) {}
>
> const std::string* value;
> const FrameworkInfo* framework_info;
> @@ -69,6 +71,8 @@ public:
> const TaskInfo* task_info;
> const ExecutorInfo* executor_info;
> const quota::QuotaInfo* quota_info;
> + const WeightInfo* weight_info;
> + const Resource* resource;
> };
>
> /**
>
> http://git-wip-us.apache.org/repos/asf/mesos/blob/bc0e6d7b/include/mesos/authorizer/authorizer.proto
> ----------------------------------------------------------------------
> diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto
> index b6a9f14..0696a62 100644
> --- a/include/mesos/authorizer/authorizer.proto
> +++ b/include/mesos/authorizer/authorizer.proto
> @@ -46,11 +46,17 @@ message Object {
> optional TaskInfo task_info = 4;
> optional ExecutorInfo executor_info = 5;
> optional quota.QuotaInfo quota_info = 6;
> + optional WeightInfo weight_info = 7;
> + optional Resource resource = 8;
> }
>
>
> // List of authorizable actions supported in Mesos.
> +// NOTE: Values in this enum should be kept in
> +// numerical order to prevent accidental aliasing.
> enum Action {
> + option allow_alias = true;
> +
> // This must be the first enum value in this list, to
> // ensure that if 'type' is not set, the default value
> // is UNKNOWN. This enables enum values to be added
> @@ -58,19 +64,67 @@ enum Action {
> UNKNOWN = 0;
>
> // Actions named *_WITH_foo may set a foo in `Object.value`.
> +
> + // `REGISTER_FRAMEWORK` will have an object with `FrameworkInfo` set.
> + // The `_WITH_ROLE` alias is deprecated and will be removed after
> + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> + // to be set until that time.
> + REGISTER_FRAMEWORK = 1;
> REGISTER_FRAMEWORK_WITH_ROLE = 1;
>
> // `RUN_TASK` will have an object with `FrameworkInfo` and `TaskInfo` set.
> RUN_TASK = 2;
>
> + // `TEARDOWN_FRAMEWORK` will have an object with `FrameworkInfo` set.
> + // The `_WITH_PRINCIPAL` alias is deprecated and will be removed after
> + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> + // to be set until that time.
> + TEARDOWN_FRAMEWORK = 3;
> TEARDOWN_FRAMEWORK_WITH_PRINCIPAL = 3;
> +
> + // `RESERVE_RESOURCES` will have an object with `Resource` set.
> + // The `_WITH_ROLE` alias is deprecated and will be removed after
> + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> + // to be set until that time.
> + RESERVE_RESOURCES = 4;
> RESERVE_RESOURCES_WITH_ROLE = 4;
> +
> + // `UNRESERVE_RESOURCES` will have an object with `Resource` set.
> + // The `_WITH_PRINCIPAL` alias is deprecated and will be removed after
> + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> + // to be set until that time.
> + UNRESERVE_RESOURCES = 5;
> UNRESERVE_RESOURCES_WITH_PRINCIPAL = 5;
> +
> + // `CREATE_VOLUME` will have an object with `Resource` set.
> + // The `_WITH_ROLE` alias is deprecated and will be removed after
> + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> + // to be set until that time.
> + CREATE_VOLUME = 6;
> CREATE_VOLUME_WITH_ROLE = 6;
> +
> + // `DESTROY_VOLUME` will have an object with `Resource` set.
> + // The `_WITH_PRINCIPAL` alias is deprecated and will be removed after
> + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> + // to be set until that time.
> + DESTROY_VOLUME = 7;
> DESTROY_VOLUME_WITH_PRINCIPAL = 7;
> +
> GET_ENDPOINT_WITH_PATH = 8;
> VIEW_ROLE = 9;
> +
> + // `UPDATE_WEIGHT` will have an object with `WeightInfo` set.
> + // The `_WITH_ROLE` alias is deprecated and will be removed after
> + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> + // to be set until that time.
> + UPDATE_WEIGHT = 10;
> UPDATE_WEIGHT_WITH_ROLE = 10;
> +
> + // `GET_QUOTA` will have an object with `QuotaInfo` set.
> + // The `_WITH_ROLE` alias is deprecated and will be removed after
> + // Mesos 1.2's deprecation cycle ends. The `value` field will continue
> + // to be set until that time.
> + GET_QUOTA = 11;
> GET_QUOTA_WITH_ROLE = 11;
>
> // `UPDATE_QUOTA` will have an object with a `QuotaInfo` set.
>
> http://git-wip-us.apache.org/repos/asf/mesos/blob/bc0e6d7b/src/authorizer/local/authorizer.cpp
> ----------------------------------------------------------------------
> diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
> index f1dff65..77e05dd 100644
> --- a/src/authorizer/local/authorizer.cpp
> +++ b/src/authorizer/local/authorizer.cpp
> @@ -221,15 +221,7 @@ public:
> } else {
> switch (action_) {
> // All actions using `object.value` for authorization.
> - case authorization::REGISTER_FRAMEWORK_WITH_ROLE:
> - case authorization::TEARDOWN_FRAMEWORK_WITH_PRINCIPAL:
> - case authorization::RESERVE_RESOURCES_WITH_ROLE:
> - case authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL:
> - case authorization::CREATE_VOLUME_WITH_ROLE:
> - case authorization::DESTROY_VOLUME_WITH_PRINCIPAL:
> - case authorization::GET_QUOTA_WITH_ROLE:
> case authorization::VIEW_ROLE:
> - case authorization::UPDATE_WEIGHT_WITH_ROLE:
> case authorization::GET_ENDPOINT_WITH_PATH: {
> // Check object has the required types set.
> CHECK_NOTNULL(object->value);
> @@ -239,6 +231,92 @@ public:
>
> break;
> }
> + case authorization::REGISTER_FRAMEWORK: {
> + aclObject.set_type(mesos::ACL::Entity::SOME);
> + if (object->framework_info) {
> + aclObject.add_values(object->framework_info->role());
> + } else if (object->value) {
> + aclObject.add_values(*(object->value));
> + } else {
> + aclObject.set_type(mesos::ACL::Entity::ANY);
> + }
> +
> + break;
> + }
> + case authorization::TEARDOWN_FRAMEWORK: {
> + aclObject.set_type(mesos::ACL::Entity::SOME);
> + if (object->framework_info) {
> + aclObject.add_values(object->framework_info->principal());
> + } else if (object->value) {
> + aclObject.add_values(*(object->value));
> + } else {
> + aclObject.set_type(mesos::ACL::Entity::ANY);
> + }
> +
> + break;
> + }
> + case authorization::CREATE_VOLUME:
> + case authorization::RESERVE_RESOURCES: {
> + aclObject.set_type(mesos::ACL::Entity::SOME);
> + if (object->resource) {
> + aclObject.add_values(object->resource->role());
> + } else if (object->value) {
> + aclObject.add_values(*(object->value));
> + } else {
> + aclObject.set_type(mesos::ACL::Entity::ANY);
> + }
> +
> + break;
> + }
> + case authorization::DESTROY_VOLUME: {
> + aclObject.set_type(mesos::ACL::Entity::SOME);
> + if (object->resource) {
> + aclObject.add_values(
> + object->resource->disk().persistence().principal());
> + } else if (object->value) {
> + aclObject.add_values(*(object->value));
> + } else {
> + aclObject.set_type(mesos::ACL::Entity::ANY);
> + }
> +
> + break;
> + }
> + case authorization::UNRESERVE_RESOURCES: {
> + aclObject.set_type(mesos::ACL::Entity::SOME);
> + if (object->resource) {
> + aclObject.add_values(object->resource->reservation().principal());
> + } else if (object->value) {
> + aclObject.add_values(*(object->value));
> + } else {
> + aclObject.set_type(mesos::ACL::Entity::ANY);
> + }
> +
> + break;
> + }
> + case authorization::GET_QUOTA: {
> + aclObject.set_type(mesos::ACL::Entity::SOME);
> + if (object->quota_info) {
> + aclObject.add_values(object->quota_info->role());
> + } else if (object->value) {
> + aclObject.add_values(*(object->value));
> + } else {
> + aclObject.set_type(mesos::ACL::Entity::ANY);
> + }
> +
> + break;
> + }
> + case authorization::UPDATE_WEIGHT: {
> + aclObject.set_type(mesos::ACL::Entity::SOME);
> + if (object->weight_info) {
> + aclObject.add_values(object->weight_info->role());
> + } else if (object->value) {
> + aclObject.add_values(*(object->value));
> + } else {
> + aclObject.set_type(mesos::ACL::Entity::ANY);
> + }
> +
> + break;
> + }
> case authorization::RUN_TASK: {
> aclObject.set_type(mesos::ACL::Entity::SOME);
> if (object->task_info && object->task_info->has_command() &&
> @@ -253,6 +331,7 @@ public:
> } else {
> aclObject.set_type(mesos::ACL::Entity::ANY);
> }
> +
> break;
> }
> case authorization::ACCESS_MESOS_LOG: {
> @@ -497,7 +576,7 @@ private:
> vector<GenericACL> acls_;
>
> switch (action) {
> - case authorization::REGISTER_FRAMEWORK_WITH_ROLE:
> + case authorization::REGISTER_FRAMEWORK:
> foreach (
> const ACL::RegisterFramework& acl, acls.register_frameworks()) {
> GenericACL acl_;
> @@ -509,7 +588,7 @@ private:
>
> return acls_;
> break;
> - case authorization::TEARDOWN_FRAMEWORK_WITH_PRINCIPAL:
> + case authorization::TEARDOWN_FRAMEWORK:
> foreach (
> const ACL::TeardownFramework& acl, acls.teardown_frameworks()) {
> GenericACL acl_;
> @@ -532,7 +611,7 @@ private:
>
> return acls_;
> break;
> - case authorization::RESERVE_RESOURCES_WITH_ROLE:
> + case authorization::RESERVE_RESOURCES:
> foreach (const ACL::ReserveResources& acl, acls.reserve_resources()) {
> GenericACL acl_;
> acl_.subjects = acl.principals();
> @@ -543,7 +622,7 @@ private:
>
> return acls_;
> break;
> - case authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL:
> + case authorization::UNRESERVE_RESOURCES:
> foreach (
> const ACL::UnreserveResources& acl, acls.unreserve_resources()) {
> GenericACL acl_;
> @@ -555,7 +634,7 @@ private:
>
> return acls_;
> break;
> - case authorization::CREATE_VOLUME_WITH_ROLE:
> + case authorization::CREATE_VOLUME:
> foreach (const ACL::CreateVolume& acl, acls.create_volumes()) {
> GenericACL acl_;
> acl_.subjects = acl.principals();
> @@ -566,7 +645,7 @@ private:
>
> return acls_;
> break;
> - case authorization::DESTROY_VOLUME_WITH_PRINCIPAL:
> + case authorization::DESTROY_VOLUME:
> foreach (const ACL::DestroyVolume& acl, acls.destroy_volumes()) {
> GenericACL acl_;
> acl_.subjects = acl.principals();
> @@ -577,7 +656,7 @@ private:
>
> return acls_;
> break;
> - case authorization::GET_QUOTA_WITH_ROLE:
> + case authorization::GET_QUOTA:
> foreach (const ACL::GetQuota& acl, acls.get_quotas()) {
> GenericACL acl_;
> acl_.subjects = acl.principals();
> @@ -629,7 +708,7 @@ private:
>
> return acls_;
> break;
> - case authorization::UPDATE_WEIGHT_WITH_ROLE:
> + case authorization::UPDATE_WEIGHT:
> foreach (const ACL::UpdateWeight& acl, acls.update_weights()) {
> GenericACL acl_;
> acl_.subjects = acl.principals();
> @@ -845,7 +924,9 @@ process::Future<bool> LocalAuthorizer::authorized(
> request.object().has_task() ||
> request.object().has_task_info() ||
> request.object().has_executor_info() ||
> - request.object().has_quota_info())));
> + request.object().has_quota_info() ||
> + request.object().has_weight_info() ||
> + request.object().has_resource())));
>
> typedef Future<bool> (LocalAuthorizerProcess::*F)(
> const authorization::Request&);
>
[3/3] mesos git commit: Enabled multiple field based authorization in
the authorizer interface.
Posted by me...@apache.org.
Enabled multiple field based authorization in the authorizer interface.
Updates the authorizer interfaces and well as the local authorizer,
such that all actions which were limited to use a _role_ or a
_principal_ as an object, are able to use whole protobuf messages
as objects. This change enables more sofisticated authorization
mechanisms.
Review: https://reviews.apache.org/r/52600/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/bc0e6d7b
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/bc0e6d7b
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/bc0e6d7b
Branch: refs/heads/master
Commit: bc0e6d7b0b367e5ff67dd5f395e1e06938b02399
Parents: 40c2e5f
Author: Alexander Rojas <al...@mesosphere.io>
Authored: Tue Nov 15 19:04:25 2016 -0800
Committer: Adam B <ad...@mesosphere.io>
Committed: Wed Nov 16 01:55:03 2016 -0800
----------------------------------------------------------------------
include/mesos/authorizer/authorizer.hpp | 6 +-
include/mesos/authorizer/authorizer.proto | 54 ++++++++++++
src/authorizer/local/authorizer.cpp | 115 +++++++++++++++++++++----
3 files changed, 157 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/bc0e6d7b/include/mesos/authorizer/authorizer.hpp
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/authorizer.hpp b/include/mesos/authorizer/authorizer.hpp
index cb365c7..7217600 100644
--- a/include/mesos/authorizer/authorizer.hpp
+++ b/include/mesos/authorizer/authorizer.hpp
@@ -61,7 +61,9 @@ public:
task_info(object.has_task_info() ? &object.task_info() : nullptr),
executor_info(
object.has_executor_info() ? &object.executor_info() : nullptr),
- quota_info(object.has_quota_info() ? &object.quota_info() : nullptr) {}
+ quota_info(object.has_quota_info() ? &object.quota_info() : nullptr),
+ weight_info(object.has_weight_info() ? &object.weight_info() : nullptr),
+ resource(object.has_resource() ? &object.resource() : nullptr) {}
const std::string* value;
const FrameworkInfo* framework_info;
@@ -69,6 +71,8 @@ public:
const TaskInfo* task_info;
const ExecutorInfo* executor_info;
const quota::QuotaInfo* quota_info;
+ const WeightInfo* weight_info;
+ const Resource* resource;
};
/**
http://git-wip-us.apache.org/repos/asf/mesos/blob/bc0e6d7b/include/mesos/authorizer/authorizer.proto
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto
index b6a9f14..0696a62 100644
--- a/include/mesos/authorizer/authorizer.proto
+++ b/include/mesos/authorizer/authorizer.proto
@@ -46,11 +46,17 @@ message Object {
optional TaskInfo task_info = 4;
optional ExecutorInfo executor_info = 5;
optional quota.QuotaInfo quota_info = 6;
+ optional WeightInfo weight_info = 7;
+ optional Resource resource = 8;
}
// List of authorizable actions supported in Mesos.
+// NOTE: Values in this enum should be kept in
+// numerical order to prevent accidental aliasing.
enum Action {
+ option allow_alias = true;
+
// This must be the first enum value in this list, to
// ensure that if 'type' is not set, the default value
// is UNKNOWN. This enables enum values to be added
@@ -58,19 +64,67 @@ enum Action {
UNKNOWN = 0;
// Actions named *_WITH_foo may set a foo in `Object.value`.
+
+ // `REGISTER_FRAMEWORK` will have an object with `FrameworkInfo` set.
+ // The `_WITH_ROLE` alias is deprecated and will be removed after
+ // Mesos 1.2's deprecation cycle ends. The `value` field will continue
+ // to be set until that time.
+ REGISTER_FRAMEWORK = 1;
REGISTER_FRAMEWORK_WITH_ROLE = 1;
// `RUN_TASK` will have an object with `FrameworkInfo` and `TaskInfo` set.
RUN_TASK = 2;
+ // `TEARDOWN_FRAMEWORK` will have an object with `FrameworkInfo` set.
+ // The `_WITH_PRINCIPAL` alias is deprecated and will be removed after
+ // Mesos 1.2's deprecation cycle ends. The `value` field will continue
+ // to be set until that time.
+ TEARDOWN_FRAMEWORK = 3;
TEARDOWN_FRAMEWORK_WITH_PRINCIPAL = 3;
+
+ // `RESERVE_RESOURCES` will have an object with `Resource` set.
+ // The `_WITH_ROLE` alias is deprecated and will be removed after
+ // Mesos 1.2's deprecation cycle ends. The `value` field will continue
+ // to be set until that time.
+ RESERVE_RESOURCES = 4;
RESERVE_RESOURCES_WITH_ROLE = 4;
+
+ // `UNRESERVE_RESOURCES` will have an object with `Resource` set.
+ // The `_WITH_PRINCIPAL` alias is deprecated and will be removed after
+ // Mesos 1.2's deprecation cycle ends. The `value` field will continue
+ // to be set until that time.
+ UNRESERVE_RESOURCES = 5;
UNRESERVE_RESOURCES_WITH_PRINCIPAL = 5;
+
+ // `CREATE_VOLUME` will have an object with `Resource` set.
+ // The `_WITH_ROLE` alias is deprecated and will be removed after
+ // Mesos 1.2's deprecation cycle ends. The `value` field will continue
+ // to be set until that time.
+ CREATE_VOLUME = 6;
CREATE_VOLUME_WITH_ROLE = 6;
+
+ // `DESTROY_VOLUME` will have an object with `Resource` set.
+ // The `_WITH_PRINCIPAL` alias is deprecated and will be removed after
+ // Mesos 1.2's deprecation cycle ends. The `value` field will continue
+ // to be set until that time.
+ DESTROY_VOLUME = 7;
DESTROY_VOLUME_WITH_PRINCIPAL = 7;
+
GET_ENDPOINT_WITH_PATH = 8;
VIEW_ROLE = 9;
+
+ // `UPDATE_WEIGHT` will have an object with `WeightInfo` set.
+ // The `_WITH_ROLE` alias is deprecated and will be removed after
+ // Mesos 1.2's deprecation cycle ends. The `value` field will continue
+ // to be set until that time.
+ UPDATE_WEIGHT = 10;
UPDATE_WEIGHT_WITH_ROLE = 10;
+
+ // `GET_QUOTA` will have an object with `QuotaInfo` set.
+ // The `_WITH_ROLE` alias is deprecated and will be removed after
+ // Mesos 1.2's deprecation cycle ends. The `value` field will continue
+ // to be set until that time.
+ GET_QUOTA = 11;
GET_QUOTA_WITH_ROLE = 11;
// `UPDATE_QUOTA` will have an object with a `QuotaInfo` set.
http://git-wip-us.apache.org/repos/asf/mesos/blob/bc0e6d7b/src/authorizer/local/authorizer.cpp
----------------------------------------------------------------------
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index f1dff65..77e05dd 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -221,15 +221,7 @@ public:
} else {
switch (action_) {
// All actions using `object.value` for authorization.
- case authorization::REGISTER_FRAMEWORK_WITH_ROLE:
- case authorization::TEARDOWN_FRAMEWORK_WITH_PRINCIPAL:
- case authorization::RESERVE_RESOURCES_WITH_ROLE:
- case authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL:
- case authorization::CREATE_VOLUME_WITH_ROLE:
- case authorization::DESTROY_VOLUME_WITH_PRINCIPAL:
- case authorization::GET_QUOTA_WITH_ROLE:
case authorization::VIEW_ROLE:
- case authorization::UPDATE_WEIGHT_WITH_ROLE:
case authorization::GET_ENDPOINT_WITH_PATH: {
// Check object has the required types set.
CHECK_NOTNULL(object->value);
@@ -239,6 +231,92 @@ public:
break;
}
+ case authorization::REGISTER_FRAMEWORK: {
+ aclObject.set_type(mesos::ACL::Entity::SOME);
+ if (object->framework_info) {
+ aclObject.add_values(object->framework_info->role());
+ } else if (object->value) {
+ aclObject.add_values(*(object->value));
+ } else {
+ aclObject.set_type(mesos::ACL::Entity::ANY);
+ }
+
+ break;
+ }
+ case authorization::TEARDOWN_FRAMEWORK: {
+ aclObject.set_type(mesos::ACL::Entity::SOME);
+ if (object->framework_info) {
+ aclObject.add_values(object->framework_info->principal());
+ } else if (object->value) {
+ aclObject.add_values(*(object->value));
+ } else {
+ aclObject.set_type(mesos::ACL::Entity::ANY);
+ }
+
+ break;
+ }
+ case authorization::CREATE_VOLUME:
+ case authorization::RESERVE_RESOURCES: {
+ aclObject.set_type(mesos::ACL::Entity::SOME);
+ if (object->resource) {
+ aclObject.add_values(object->resource->role());
+ } else if (object->value) {
+ aclObject.add_values(*(object->value));
+ } else {
+ aclObject.set_type(mesos::ACL::Entity::ANY);
+ }
+
+ break;
+ }
+ case authorization::DESTROY_VOLUME: {
+ aclObject.set_type(mesos::ACL::Entity::SOME);
+ if (object->resource) {
+ aclObject.add_values(
+ object->resource->disk().persistence().principal());
+ } else if (object->value) {
+ aclObject.add_values(*(object->value));
+ } else {
+ aclObject.set_type(mesos::ACL::Entity::ANY);
+ }
+
+ break;
+ }
+ case authorization::UNRESERVE_RESOURCES: {
+ aclObject.set_type(mesos::ACL::Entity::SOME);
+ if (object->resource) {
+ aclObject.add_values(object->resource->reservation().principal());
+ } else if (object->value) {
+ aclObject.add_values(*(object->value));
+ } else {
+ aclObject.set_type(mesos::ACL::Entity::ANY);
+ }
+
+ break;
+ }
+ case authorization::GET_QUOTA: {
+ aclObject.set_type(mesos::ACL::Entity::SOME);
+ if (object->quota_info) {
+ aclObject.add_values(object->quota_info->role());
+ } else if (object->value) {
+ aclObject.add_values(*(object->value));
+ } else {
+ aclObject.set_type(mesos::ACL::Entity::ANY);
+ }
+
+ break;
+ }
+ case authorization::UPDATE_WEIGHT: {
+ aclObject.set_type(mesos::ACL::Entity::SOME);
+ if (object->weight_info) {
+ aclObject.add_values(object->weight_info->role());
+ } else if (object->value) {
+ aclObject.add_values(*(object->value));
+ } else {
+ aclObject.set_type(mesos::ACL::Entity::ANY);
+ }
+
+ break;
+ }
case authorization::RUN_TASK: {
aclObject.set_type(mesos::ACL::Entity::SOME);
if (object->task_info && object->task_info->has_command() &&
@@ -253,6 +331,7 @@ public:
} else {
aclObject.set_type(mesos::ACL::Entity::ANY);
}
+
break;
}
case authorization::ACCESS_MESOS_LOG: {
@@ -497,7 +576,7 @@ private:
vector<GenericACL> acls_;
switch (action) {
- case authorization::REGISTER_FRAMEWORK_WITH_ROLE:
+ case authorization::REGISTER_FRAMEWORK:
foreach (
const ACL::RegisterFramework& acl, acls.register_frameworks()) {
GenericACL acl_;
@@ -509,7 +588,7 @@ private:
return acls_;
break;
- case authorization::TEARDOWN_FRAMEWORK_WITH_PRINCIPAL:
+ case authorization::TEARDOWN_FRAMEWORK:
foreach (
const ACL::TeardownFramework& acl, acls.teardown_frameworks()) {
GenericACL acl_;
@@ -532,7 +611,7 @@ private:
return acls_;
break;
- case authorization::RESERVE_RESOURCES_WITH_ROLE:
+ case authorization::RESERVE_RESOURCES:
foreach (const ACL::ReserveResources& acl, acls.reserve_resources()) {
GenericACL acl_;
acl_.subjects = acl.principals();
@@ -543,7 +622,7 @@ private:
return acls_;
break;
- case authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL:
+ case authorization::UNRESERVE_RESOURCES:
foreach (
const ACL::UnreserveResources& acl, acls.unreserve_resources()) {
GenericACL acl_;
@@ -555,7 +634,7 @@ private:
return acls_;
break;
- case authorization::CREATE_VOLUME_WITH_ROLE:
+ case authorization::CREATE_VOLUME:
foreach (const ACL::CreateVolume& acl, acls.create_volumes()) {
GenericACL acl_;
acl_.subjects = acl.principals();
@@ -566,7 +645,7 @@ private:
return acls_;
break;
- case authorization::DESTROY_VOLUME_WITH_PRINCIPAL:
+ case authorization::DESTROY_VOLUME:
foreach (const ACL::DestroyVolume& acl, acls.destroy_volumes()) {
GenericACL acl_;
acl_.subjects = acl.principals();
@@ -577,7 +656,7 @@ private:
return acls_;
break;
- case authorization::GET_QUOTA_WITH_ROLE:
+ case authorization::GET_QUOTA:
foreach (const ACL::GetQuota& acl, acls.get_quotas()) {
GenericACL acl_;
acl_.subjects = acl.principals();
@@ -629,7 +708,7 @@ private:
return acls_;
break;
- case authorization::UPDATE_WEIGHT_WITH_ROLE:
+ case authorization::UPDATE_WEIGHT:
foreach (const ACL::UpdateWeight& acl, acls.update_weights()) {
GenericACL acl_;
acl_.subjects = acl.principals();
@@ -845,7 +924,9 @@ process::Future<bool> LocalAuthorizer::authorized(
request.object().has_task() ||
request.object().has_task_info() ||
request.object().has_executor_info() ||
- request.object().has_quota_info())));
+ request.object().has_quota_info() ||
+ request.object().has_weight_info() ||
+ request.object().has_resource())));
typedef Future<bool> (LocalAuthorizerProcess::*F)(
const authorization::Request&);
[2/3] mesos git commit: Updated calls to the authorizer to use whole
protobuf messages.
Posted by me...@apache.org.
Updated calls to the authorizer to use whole protobuf messages.
Makes changes in the calls to the authorizer, so that it uses the
new protobuf message based authorization calls when available.
It still sets the traditional `Object.value` field for compatibility
with old authorizers.
Review: https://reviews.apache.org/r/53057/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/181c89d9
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/181c89d9
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/181c89d9
Branch: refs/heads/master
Commit: 181c89d9b32d576e35dbcd9e15292b551e2ad6df
Parents: bc0e6d7
Author: Alexander Rojas <al...@mesosphere.io>
Authored: Tue Nov 15 19:04:51 2016 -0800
Committer: Adam B <ad...@mesosphere.io>
Committed: Wed Nov 16 01:55:03 2016 -0800
----------------------------------------------------------------------
src/master/http.cpp | 4 +++-
src/master/master.cpp | 16 +++++++++++-----
src/master/master.hpp | 4 ++--
src/master/quota_handler.cpp | 11 ++++++-----
src/master/weights_handler.cpp | 11 ++++++-----
5 files changed, 28 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/181c89d9/src/master/http.cpp
----------------------------------------------------------------------
diff --git a/src/master/http.cpp b/src/master/http.cpp
index 88a8df5..90cbed1 100644
--- a/src/master/http.cpp
+++ b/src/master/http.cpp
@@ -3485,13 +3485,15 @@ Future<Response> Master::Http::teardown(
}
authorization::Request teardown;
- teardown.set_action(authorization::TEARDOWN_FRAMEWORK_WITH_PRINCIPAL);
+ teardown.set_action(authorization::TEARDOWN_FRAMEWORK);
if (principal.isSome()) {
teardown.mutable_subject()->set_value(principal.get());
}
if (framework->info.has_principal()) {
+ teardown.mutable_object()->mutable_framework_info()->CopyFrom(
+ framework->info);
teardown.mutable_object()->set_value(framework->info.principal());
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/181c89d9/src/master/master.cpp
----------------------------------------------------------------------
diff --git a/src/master/master.cpp b/src/master/master.cpp
index f0b6297..4482d4c 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -2070,12 +2070,13 @@ Future<bool> Master::authorizeFramework(
<< "' to receive offers for role '" << frameworkInfo.role() << "'";
authorization::Request request;
- request.set_action(authorization::REGISTER_FRAMEWORK_WITH_ROLE);
+ request.set_action(authorization::REGISTER_FRAMEWORK);
if (frameworkInfo.has_principal()) {
request.mutable_subject()->set_value(frameworkInfo.principal());
}
+ request.mutable_object()->mutable_framework_info()->CopyFrom(frameworkInfo);
request.mutable_object()->set_value(frameworkInfo.role());
return authorizer.get()->authorized(request);
@@ -3188,7 +3189,7 @@ Future<bool> Master::authorizeReserveResources(
}
authorization::Request request;
- request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE);
+ request.set_action(authorization::RESERVE_RESOURCES);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
@@ -3203,6 +3204,7 @@ Future<bool> Master::authorizeReserveResources(
if (!roles.contains(resource.role())) {
roles.insert(resource.role());
+ request.mutable_object()->mutable_resource()->CopyFrom(resource);
request.mutable_object()->set_value(resource.role());
authorizations.push_back(authorizer.get()->authorized(request));
}
@@ -3244,7 +3246,7 @@ Future<bool> Master::authorizeUnreserveResources(
}
authorization::Request request;
- request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
+ request.set_action(authorization::UNRESERVE_RESOURCES);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
@@ -3258,6 +3260,8 @@ Future<bool> Master::authorizeUnreserveResources(
// during validation.
if (Resources::isDynamicallyReserved(resource) &&
resource.reservation().has_principal()) {
+ request.mutable_object()->mutable_resource()->CopyFrom(resource);
+
request.mutable_object()->set_value(
resource.reservation().principal());
@@ -3297,7 +3301,7 @@ Future<bool> Master::authorizeCreateVolume(
}
authorization::Request request;
- request.set_action(authorization::CREATE_VOLUME_WITH_ROLE);
+ request.set_action(authorization::CREATE_VOLUME);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
@@ -3312,6 +3316,7 @@ Future<bool> Master::authorizeCreateVolume(
if (!roles.contains(volume.role())) {
roles.insert(volume.role());
+ request.mutable_object()->mutable_resource()->CopyFrom(volume);
request.mutable_object()->set_value(volume.role());
authorizations.push_back(authorizer.get()->authorized(request));
}
@@ -3349,7 +3354,7 @@ Future<bool> Master::authorizeDestroyVolume(
}
authorization::Request request;
- request.set_action(authorization::DESTROY_VOLUME_WITH_PRINCIPAL);
+ request.set_action(authorization::DESTROY_VOLUME);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
@@ -3361,6 +3366,7 @@ Future<bool> Master::authorizeDestroyVolume(
// authorization, we must check here that this resource is a persistent
// volume. If it isn't, the error will be caught during validation.
if (Resources::isPersistentVolume(volume)) {
+ request.mutable_object()->mutable_resource()->CopyFrom(volume);
request.mutable_object()->set_value(
volume.disk().persistence().principal());
http://git-wip-us.apache.org/repos/asf/mesos/blob/181c89d9/src/master/master.hpp
----------------------------------------------------------------------
diff --git a/src/master/master.hpp b/src/master/master.hpp
index 87186c6..bc6aafc 100644
--- a/src/master/master.hpp
+++ b/src/master/master.hpp
@@ -1075,7 +1075,7 @@ private:
process::Future<bool> authorizeGetQuota(
const Option<std::string>& principal,
- const std::string& role) const;
+ const quota::QuotaInfo& role) const;
// TODO(mpark): The following functions `authorizeSetQuota` and
// `authorizeRemoveQuota` should be replaced with `authorizeUpdateQuota` at
@@ -1149,7 +1149,7 @@ private:
private:
process::Future<bool> authorizeGetWeight(
const Option<std::string>& principal,
- const std::string& role) const;
+ const WeightInfo& weight) const;
process::Future<bool> authorizeUpdateWeights(
const Option<std::string>& principal,
http://git-wip-us.apache.org/repos/asf/mesos/blob/181c89d9/src/master/quota_handler.cpp
----------------------------------------------------------------------
diff --git a/src/master/quota_handler.cpp b/src/master/quota_handler.cpp
index d87d6c6..9ceff38 100644
--- a/src/master/quota_handler.cpp
+++ b/src/master/quota_handler.cpp
@@ -257,7 +257,7 @@ Future<QuotaStatus> Master::QuotaHandler::_status(
// TODO(alexr): Use an authorization filter here once they are available.
list<Future<bool>> authorizedRoles;
foreach (const QuotaInfo& info, quotaInfos) {
- authorizedRoles.push_back(authorizeGetQuota(principal, info.role()));
+ authorizedRoles.push_back(authorizeGetQuota(principal, info));
}
return process::collect(authorizedRoles)
@@ -526,7 +526,7 @@ Future<http::Response> Master::QuotaHandler::__remove(const string& role) const
Future<bool> Master::QuotaHandler::authorizeGetQuota(
const Option<string>& principal,
- const string& role) const
+ const QuotaInfo& quota) const
{
if (master->authorizer.isNone()) {
return true;
@@ -534,16 +534,17 @@ Future<bool> Master::QuotaHandler::authorizeGetQuota(
LOG(INFO) << "Authorizing principal '"
<< (principal.isSome() ? principal.get() : "ANY")
- << "' to get quota for role '" << role << "'";
+ << "' to get quota for role '" << quota.role() << "'";
authorization::Request request;
- request.set_action(authorization::GET_QUOTA_WITH_ROLE);
+ request.set_action(authorization::GET_QUOTA);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
}
- request.mutable_object()->set_value(role);
+ request.mutable_object()->mutable_quota_info()->CopyFrom(quota);
+ request.mutable_object()->set_value(quota.role());
return master->authorizer.get()->authorized(request);
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/181c89d9/src/master/weights_handler.cpp
----------------------------------------------------------------------
diff --git a/src/master/weights_handler.cpp b/src/master/weights_handler.cpp
index c240fb2..da0b995 100644
--- a/src/master/weights_handler.cpp
+++ b/src/master/weights_handler.cpp
@@ -118,7 +118,7 @@ Future<vector<WeightInfo>> Master::WeightsHandler::_getWeights(
// TODO(alexr): Batch these actions once we have BatchRequest in authorizer.
list<Future<bool>> roleAuthorizations;
foreach (const WeightInfo& info, weightInfos) {
- roleAuthorizations.push_back(authorizeGetWeight(principal, info.role()));
+ roleAuthorizations.push_back(authorizeGetWeight(principal, info));
}
return process::collect(roleAuthorizations)
@@ -325,7 +325,7 @@ Future<bool> Master::WeightsHandler::authorizeUpdateWeights(
<< "' to update weights for roles '" << stringify(roles) << "'";
authorization::Request request;
- request.set_action(authorization::UPDATE_WEIGHT_WITH_ROLE);
+ request.set_action(authorization::UPDATE_WEIGHT);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
@@ -357,7 +357,7 @@ Future<bool> Master::WeightsHandler::authorizeUpdateWeights(
Future<bool> Master::WeightsHandler::authorizeGetWeight(
const Option<string>& principal,
- const string& role) const
+ const WeightInfo& weight) const
{
if (master->authorizer.isNone()) {
return true;
@@ -365,7 +365,7 @@ Future<bool> Master::WeightsHandler::authorizeGetWeight(
LOG(INFO) << "Authorizing principal '"
<< (principal.isSome() ? principal.get() : "ANY")
- << "' to get weight for role '" << role << "'";
+ << "' to get weight for role '" << weight.role() << "'";
authorization::Request request;
request.set_action(authorization::VIEW_ROLE);
@@ -374,7 +374,8 @@ Future<bool> Master::WeightsHandler::authorizeGetWeight(
request.mutable_subject()->set_value(principal.get());
}
- request.mutable_object()->set_value(role);
+ request.mutable_object()->mutable_weight_info()->CopyFrom(weight);
+ request.mutable_object()->set_value(weight.role());
return master->authorizer.get()->authorized(request);
}