You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ti...@apache.org on 2015/12/18 21:02:01 UTC

[3/7] mesos git commit: Quota: Implemented set quota request authorization.

Quota: Implemented set quota request authorization.

Review: https://reviews.apache.org/r/40347/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/2940586f
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/2940586f
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/2940586f

Branch: refs/heads/master
Commit: 2940586f64383668ecaf722c279f325d04fb3781
Parents: df99dbb
Author: Jan Schlicht <ja...@mesosphere.io>
Authored: Fri Dec 18 17:44:44 2015 +0100
Committer: Till Toenshoff <to...@me.com>
Committed: Fri Dec 18 17:49:34 2015 +0100

----------------------------------------------------------------------
 src/master/master.hpp        |  8 ++++++
 src/master/quota_handler.cpp | 51 ++++++++++++++++++++++++++++++++++++---
 2 files changed, 56 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/2940586f/src/master/master.hpp
----------------------------------------------------------------------
diff --git a/src/master/master.hpp b/src/master/master.hpp
index 7cb0e16..d493109 100644
--- a/src/master/master.hpp
+++ b/src/master/master.hpp
@@ -992,6 +992,14 @@ private:
     // (including rescinding) is moved to allocator.
     void rescindOffers(const mesos::quota::QuotaInfo& request) const;
 
+    process::Future<bool> authorize(
+        const Option<std::string>& principal,
+        const std::string& role) const;
+
+    process::Future<process::http::Response> _set(
+        const mesos::quota::QuotaInfo& quota,
+        bool forced) const;
+
     // To perform actions related to quota management, we require access to the
     // master data structures. No synchronization primitives are needed here
     // since `QuotaHandler`'s functions are invoked in the Master's actor.

http://git-wip-us.apache.org/repos/asf/mesos/blob/2940586f/src/master/quota_handler.cpp
----------------------------------------------------------------------
diff --git a/src/master/quota_handler.cpp b/src/master/quota_handler.cpp
index 1116787..27e12ab 100644
--- a/src/master/quota_handler.cpp
+++ b/src/master/quota_handler.cpp
@@ -263,8 +263,6 @@ Future<http::Response> Master::QuotaHandler::set(
     return Unauthorized("Mesos master", credential.error());
   }
 
-  // TODO(nfnt): Authorize the request.
-
   // Check that the request type is POST which is guaranteed by the master.
   CHECK_EQ("POST", request.method);
 
@@ -327,7 +325,28 @@ Future<http::Response> Master::QuotaHandler::set(
   const QuotaInfo& quotaInfo = create.get();
 
   // The force flag can be used to overwrite the capacityHeuristic check.
-  if (values.contains("force") && strings::lower(values["force"]) == "true") {
+  bool forced = values.contains("force") &&
+                strings::lower(values["force"]) == "true";
+
+  Option<string> principal =
+    credential.isSome() ? credential.get().principal() : Option<string>::none();
+
+  return authorize(principal, quotaInfo.role())
+    .then(defer(master->self(), [=](bool authorized) -> Future<http::Response> {
+      if (!authorized) {
+        return Unauthorized("Mesos master");
+      }
+
+      return _set(quotaInfo, forced);
+    }));
+}
+
+
+Future<http::Response> Master::QuotaHandler::_set(
+    const QuotaInfo& quotaInfo,
+    bool forced) const
+{
+  if (forced) {
     VLOG(1) << "Using force flag to override quota capacityHeuristic check";
   } else {
     // Validate whether a quota request can be satisfied.
@@ -438,6 +457,32 @@ Future<http::Response> Master::QuotaHandler::remove(
     }));
 }
 
+
+Future<bool> Master::QuotaHandler::authorize(
+    const Option<string>& principal,
+    const string& role) const
+{
+  if (master->authorizer.isNone()) {
+    return true;
+  }
+
+  LOG(INFO) << "Authorizing principal '"
+            << (principal.isSome() ? principal.get() : "ANY")
+            << "' to request quota for role '" << role << "'";
+
+  mesos::ACL::SetQuota request;
+
+  if (principal.isSome()) {
+    request.mutable_principals()->add_values(principal.get());
+  } else {
+    request.mutable_principals()->set_type(mesos::ACL::Entity::ANY);
+  }
+
+  request.mutable_roles()->add_values(role);
+
+  return master->authorizer.get()->authorize(request);
+}
+
 } // namespace master {
 } // namespace internal {
 } // namespace mesos {