You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2017/11/29 03:35:11 UTC
[4/9] mesos git commit: Renamed agent flag '--executor_secret_key' to
'--jwt_secret_key'.
Renamed agent flag '--executor_secret_key' to '--jwt_secret_key'.
Now that this is also re-used for authenticating resource provider
initiated requests for managing standalone containers.
Review: https://reviews.apache.org/r/64107
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/86302f5d
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/86302f5d
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/86302f5d
Branch: refs/heads/master
Commit: 86302f5da599fd77fdfe60bd1852c8a296e764d1
Parents: 60d581b
Author: Jie Yu <yu...@gmail.com>
Authored: Mon Nov 27 18:22:43 2017 -0800
Committer: Jie Yu <yu...@gmail.com>
Committed: Tue Nov 28 18:41:56 2017 -0800
----------------------------------------------------------------------
CHANGELOG | 2 ++
docs/authentication.md | 4 ++--
docs/configuration/agent.md | 7 +++----
docs/upgrades.md | 5 +++++
src/slave/flags.cpp | 10 +++++-----
src/slave/flags.hpp | 2 +-
src/slave/slave.cpp | 18 +++++++++---------
src/tests/executor_http_api_tests.cpp | 2 +-
src/tests/mesos.cpp | 6 +++---
src/tests/mesos.hpp | 2 +-
src/tests/slave_authorization_tests.cpp | 4 ++--
11 files changed, 34 insertions(+), 28 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/CHANGELOG
----------------------------------------------------------------------
diff --git a/CHANGELOG b/CHANGELOG
index 08d51df..6eab804 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,8 @@ Release Notes - Mesos - Version 1.5.0 (WIP)
This release contains the following new features:
Deprecations/Removals:
+ * Agent flag `--executor_secret_key` has been deprecated. Operators
+ should use `--jwt_secret_key` instead.
Additional API Changes:
* [MESOS-7660] `Filter::refuse_seconds` is now capped to 31536000
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/docs/authentication.md
----------------------------------------------------------------------
diff --git a/docs/authentication.md b/docs/authentication.md
index 0abf069..ab3791b 100644
--- a/docs/authentication.md
+++ b/docs/authentication.md
@@ -133,7 +133,7 @@ token (JWT) HTTP authenticator is loaded to handle executor authentication on
both the executor and operator API endpoints. Note that command and custom
executors not using the HTTP API will remain unauthenticated.
-When a secret key is loaded via the `--executor_secret_key` flag, the agent will
+When a secret key is loaded via the `--jwt_secret_key` flag, the agent will
generate a default JWT for each executor before it is launched. This token is
passed into the executor's environment via the
`MESOS_EXECUTOR_AUTHENTICATION_TOKEN` environment variable. In order to
@@ -146,7 +146,7 @@ In order to upgrade an existing cluster to require executor authentication, the
following procedure should be followed:
1. Upgrade all agents, and provide each agent with a cryptographic key via the
- `--executor_secret_key` flag. This key will be used to sign executor
+ `--jwt_secret_key` flag. This key will be used to sign executor
authentication tokens using the HMAC-SHA256 procedure.
2. Before executor authentication can be enabled successfully, all HTTP
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/docs/configuration/agent.md
----------------------------------------------------------------------
diff --git a/docs/configuration/agent.md b/docs/configuration/agent.md
index f1e0681..83b0823 100644
--- a/docs/configuration/agent.md
+++ b/docs/configuration/agent.md
@@ -718,12 +718,11 @@ in memory. (default: 150)
</tr>
<tr>
<td>
- --executor_secret_key=VALUE
+ --jwt_secret_key=VALUE
</td>
<td>
-Path to a file containing the key used when generating executor
-secrets. This flag is only available when Mesos is built with SSL
-support.
+Path to a file containing the key used when generating JWT secrets.
+This flag is only available when Mesos is built with SSL support.
</td>
</tr>
<tr>
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/docs/upgrades.md
----------------------------------------------------------------------
diff --git a/docs/upgrades.md b/docs/upgrades.md
index 0e4015a..33ba4a6 100644
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -57,6 +57,7 @@ We categorize the changes as follows:
<ul style="padding-left:10px;">
<li>A <a href="#1-5-x-network-ports-isolator">container_ports_watch_interval</a></li>
<li>A <a href="#1-5-x-network-ports-isolator">check_agent_port_range_only</a></li>
+ <li>D <a href="#1-5-x-executor-secret-key">executor_secret_key</a></li>
</ul>
</td>
@@ -377,6 +378,10 @@ We categorize the changes as follows:
* `--container_ports_watch_interval` specifies the interval at which the isolator reconciles port assignments.
* `--check_agent_port_range_only` excludes ports outside the agent's range from port reconcilation.
+<a name="1-5-x-executor-secret-key"></a>
+
+* Agent flag `--executor_secret_key` has been deprecated. Operators should use `--jwt_secret_key` instead.
+
## Upgrading from 1.3.x to 1.4.x ##
<a name="1-4-x-ambient-capabilities"></a>
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/src/slave/flags.cpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp
index 0eeecdc..7998d9b 100644
--- a/src/slave/flags.cpp
+++ b/src/slave/flags.cpp
@@ -396,11 +396,11 @@ mesos::internal::slave::Flags::Flags()
DEFAULT_EXECUTOR_SHUTDOWN_GRACE_PERIOD);
#ifdef USE_SSL_SOCKET
- add(&Flags::executor_secret_key,
- "executor_secret_key",
- "Path to a file containing the key used when generating executor\n"
- "secrets. This flag is only available when Mesos is built with SSL\n"
- "support.");
+ add(&Flags::jwt_secret_key,
+ "jwt_secret_key",
+ flags::DeprecatedName("executor_secret_key"),
+ "Path to a file containing the key used when generating JWT secrets.\n"
+ "This flag is only available when Mesos is built with SSL support.");
#endif // USE_SSL_SOCKET
add(&Flags::gc_delay,
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/src/slave/flags.hpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp
index 0c02b49..f25d8af 100644
--- a/src/slave/flags.hpp
+++ b/src/slave/flags.hpp
@@ -82,7 +82,7 @@ public:
Option<Duration> executor_reregistration_retry_interval;
Duration executor_shutdown_grace_period;
#ifdef USE_SSL_SOCKET
- Option<Path> executor_secret_key;
+ Option<Path> jwt_secret_key;
#endif // USE_SSL_SOCKET
Duration gc_delay;
double gc_disk_headroom;
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/src/slave/slave.cpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.cpp b/src/slave/slave.cpp
index cd71647..ab3d23d 100644
--- a/src/slave/slave.cpp
+++ b/src/slave/slave.cpp
@@ -327,25 +327,25 @@ void Slave::initialize()
Option<string> secretKey;
#ifdef USE_SSL_SOCKET
- if (flags.executor_secret_key.isSome()) {
- Try<string> secretKey_ = os::read(flags.executor_secret_key.get());
+ if (flags.jwt_secret_key.isSome()) {
+ Try<string> secretKey_ = os::read(flags.jwt_secret_key.get());
if (secretKey_.isError()) {
EXIT(EXIT_FAILURE) << "Failed to read the file specified by "
- << "--executor_secret_key";
+ << "--jwt_secret_key";
}
// TODO(greggomann): Factor the following code out into a common helper,
// since we also do this when loading credentials.
Try<os::Permissions> permissions =
- os::permissions(flags.executor_secret_key.get());
+ os::permissions(flags.jwt_secret_key.get());
if (permissions.isError()) {
- LOG(WARNING) << "Failed to stat executor secret key file '"
- << flags.executor_secret_key.get()
+ LOG(WARNING) << "Failed to stat jwt secret key file '"
+ << flags.jwt_secret_key.get()
<< "': " << permissions.error();
} else if (permissions.get().others.rwx) {
LOG(WARNING) << "Permissions on executor secret key file '"
- << flags.executor_secret_key.get()
+ << flags.jwt_secret_key.get()
<< "' are too open; it is recommended that your"
<< " key file is NOT accessible by others";
}
@@ -355,8 +355,8 @@ void Slave::initialize()
}
if (flags.authenticate_http_executors) {
- if (flags.executor_secret_key.isNone()) {
- EXIT(EXIT_FAILURE) << "--executor_secret_key must be specified when "
+ if (flags.jwt_secret_key.isNone()) {
+ EXIT(EXIT_FAILURE) << "--jwt_secret_key must be specified when "
<< "--authenticate_http_executors is set to true";
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/src/tests/executor_http_api_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/executor_http_api_tests.cpp b/src/tests/executor_http_api_tests.cpp
index 910dbbf..51cca7a 100644
--- a/src/tests/executor_http_api_tests.cpp
+++ b/src/tests/executor_http_api_tests.cpp
@@ -96,7 +96,7 @@ protected:
// currently has SSL as a dependency, so this is only necessary if Mesos was
// built with SSL support.
flags.authenticate_http_executors = false;
- flags.executor_secret_key = None();
+ flags.jwt_secret_key = None();
#endif // USE_SSL_SOCKET
return flags;
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/src/tests/mesos.cpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.cpp b/src/tests/mesos.cpp
index 9185b5b..3de04dd 100644
--- a/src/tests/mesos.cpp
+++ b/src/tests/mesos.cpp
@@ -212,7 +212,7 @@ slave::Flags MesosTest::CreateSlaveFlags()
{
// Create a secret key for executor authentication.
- const string path = path::join(directory.get(), "executor_secret_key");
+ const string path = path::join(directory.get(), "jwt_secret_key");
Try<int_fd> fd = os::open(
path,
@@ -221,12 +221,12 @@ slave::Flags MesosTest::CreateSlaveFlags()
CHECK_SOME(fd);
- CHECK_SOME(os::write(fd.get(), DEFAULT_EXECUTOR_SECRET_KEY))
+ CHECK_SOME(os::write(fd.get(), DEFAULT_JWT_SECRET_KEY))
<< "Failed to write executor secret key to '" << path << "'";
CHECK_SOME(os::close(fd.get()));
- flags.executor_secret_key = path;
+ flags.jwt_secret_key = path;
}
#endif // USE_SSL_SOCKET
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/src/tests/mesos.hpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.hpp b/src/tests/mesos.hpp
index f02c7c6..7bd16be 100644
--- a/src/tests/mesos.hpp
+++ b/src/tests/mesos.hpp
@@ -104,7 +104,7 @@ namespace tests {
constexpr char READONLY_HTTP_AUTHENTICATION_REALM[] = "test-readonly-realm";
constexpr char READWRITE_HTTP_AUTHENTICATION_REALM[] = "test-readwrite-realm";
constexpr char DEFAULT_TEST_ROLE[] = "default-role";
-constexpr char DEFAULT_EXECUTOR_SECRET_KEY[] =
+constexpr char DEFAULT_JWT_SECRET_KEY[] =
"72kUKUFtghAjNbIOvLzfF2RxNBfeM64Bri8g9WhpyaunwqRB/yozHAqSnyHbddAV"
"PcWRQlrJAt871oWgSH+n52vMZ3aVI+AFMzXSo8+sUfMk83IGp0WJefhzeQsjDlGH"
"GYQgCAuGim0BE2X5U+lEue8s697uQpAO8L/FFRuDH2s";
http://git-wip-us.apache.org/repos/asf/mesos/blob/86302f5d/src/tests/slave_authorization_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/slave_authorization_tests.cpp b/src/tests/slave_authorization_tests.cpp
index 11fd0d4..acd922b 100644
--- a/src/tests/slave_authorization_tests.cpp
+++ b/src/tests/slave_authorization_tests.cpp
@@ -844,7 +844,7 @@ TEST_F(ExecutorAuthorizationTest, FailedSubscribe)
.WillOnce(FutureArg<0>(&executorLib));
Owned<JWTSecretGenerator> jwtSecretGenerator(
- new JWTSecretGenerator(DEFAULT_EXECUTOR_SECRET_KEY));
+ new JWTSecretGenerator(DEFAULT_JWT_SECRET_KEY));
// Create a principal which contains an incorrect ContainerID.
hashmap<string, string> claims;
@@ -1069,7 +1069,7 @@ TEST_F(ExecutorAuthorizationTest, FailedApiCalls)
// Generate an authentication token which is signed using the correct key,
// but contains an invalid set of claims.
Owned<JWTSecretGenerator> jwtSecretGenerator(
- new JWTSecretGenerator(DEFAULT_EXECUTOR_SECRET_KEY));
+ new JWTSecretGenerator(DEFAULT_JWT_SECRET_KEY));
Future<Secret> authenticationToken =
jwtSecretGenerator->generate(incorrectPrincipal);