You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ti...@apache.org on 2015/12/18 21:02:01 UTC
[3/7] mesos git commit: Quota: Implemented set quota request
authorization.
Quota: Implemented set quota request authorization.
Review: https://reviews.apache.org/r/40347/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/2940586f
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/2940586f
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/2940586f
Branch: refs/heads/master
Commit: 2940586f64383668ecaf722c279f325d04fb3781
Parents: df99dbb
Author: Jan Schlicht <ja...@mesosphere.io>
Authored: Fri Dec 18 17:44:44 2015 +0100
Committer: Till Toenshoff <to...@me.com>
Committed: Fri Dec 18 17:49:34 2015 +0100
----------------------------------------------------------------------
src/master/master.hpp | 8 ++++++
src/master/quota_handler.cpp | 51 ++++++++++++++++++++++++++++++++++++---
2 files changed, 56 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/2940586f/src/master/master.hpp
----------------------------------------------------------------------
diff --git a/src/master/master.hpp b/src/master/master.hpp
index 7cb0e16..d493109 100644
--- a/src/master/master.hpp
+++ b/src/master/master.hpp
@@ -992,6 +992,14 @@ private:
// (including rescinding) is moved to allocator.
void rescindOffers(const mesos::quota::QuotaInfo& request) const;
+ process::Future<bool> authorize(
+ const Option<std::string>& principal,
+ const std::string& role) const;
+
+ process::Future<process::http::Response> _set(
+ const mesos::quota::QuotaInfo& quota,
+ bool forced) const;
+
// To perform actions related to quota management, we require access to the
// master data structures. No synchronization primitives are needed here
// since `QuotaHandler`'s functions are invoked in the Master's actor.
http://git-wip-us.apache.org/repos/asf/mesos/blob/2940586f/src/master/quota_handler.cpp
----------------------------------------------------------------------
diff --git a/src/master/quota_handler.cpp b/src/master/quota_handler.cpp
index 1116787..27e12ab 100644
--- a/src/master/quota_handler.cpp
+++ b/src/master/quota_handler.cpp
@@ -263,8 +263,6 @@ Future<http::Response> Master::QuotaHandler::set(
return Unauthorized("Mesos master", credential.error());
}
- // TODO(nfnt): Authorize the request.
-
// Check that the request type is POST which is guaranteed by the master.
CHECK_EQ("POST", request.method);
@@ -327,7 +325,28 @@ Future<http::Response> Master::QuotaHandler::set(
const QuotaInfo& quotaInfo = create.get();
// The force flag can be used to overwrite the capacityHeuristic check.
- if (values.contains("force") && strings::lower(values["force"]) == "true") {
+ bool forced = values.contains("force") &&
+ strings::lower(values["force"]) == "true";
+
+ Option<string> principal =
+ credential.isSome() ? credential.get().principal() : Option<string>::none();
+
+ return authorize(principal, quotaInfo.role())
+ .then(defer(master->self(), [=](bool authorized) -> Future<http::Response> {
+ if (!authorized) {
+ return Unauthorized("Mesos master");
+ }
+
+ return _set(quotaInfo, forced);
+ }));
+}
+
+
+Future<http::Response> Master::QuotaHandler::_set(
+ const QuotaInfo& quotaInfo,
+ bool forced) const
+{
+ if (forced) {
VLOG(1) << "Using force flag to override quota capacityHeuristic check";
} else {
// Validate whether a quota request can be satisfied.
@@ -438,6 +457,32 @@ Future<http::Response> Master::QuotaHandler::remove(
}));
}
+
+Future<bool> Master::QuotaHandler::authorize(
+ const Option<string>& principal,
+ const string& role) const
+{
+ if (master->authorizer.isNone()) {
+ return true;
+ }
+
+ LOG(INFO) << "Authorizing principal '"
+ << (principal.isSome() ? principal.get() : "ANY")
+ << "' to request quota for role '" << role << "'";
+
+ mesos::ACL::SetQuota request;
+
+ if (principal.isSome()) {
+ request.mutable_principals()->add_values(principal.get());
+ } else {
+ request.mutable_principals()->set_type(mesos::ACL::Entity::ANY);
+ }
+
+ request.mutable_roles()->add_values(role);
+
+ return master->authorizer.get()->authorize(request);
+}
+
} // namespace master {
} // namespace internal {
} // namespace mesos {