You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by me...@apache.org on 2017/02/15 09:49:36 UTC
mesos git commit: Enabled the authorizer to work with MULTI_ROLE
frameworks.
Repository: mesos
Updated Branches:
refs/heads/master 32e8836e3 -> 69ba4ac8b
Enabled the authorizer to work with MULTI_ROLE frameworks.
This updates the local authorizer so that MULTI_ROLE frameworks can be
authorized.
For non-MULTI_ROLE frameworks we continue to support use of the
deprecated 'value' field in the authorization request's 'Object';
however for MULTI_ROLE frameworks the 'value' field will not be set,
and authorizers still relying on it should be updated to instead use
the object's 'framework_info' field to extract roles to authorize
against from.
Review: https://reviews.apache.org/r/56178/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/69ba4ac8
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/69ba4ac8
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/69ba4ac8
Branch: refs/heads/master
Commit: 69ba4ac8b1d375ea708b9b5a120f873e3bb00980
Parents: 32e8836
Author: Benjamin Bannier <be...@mesosphere.io>
Authored: Wed Feb 15 00:43:05 2017 -0800
Committer: Adam B <ad...@mesosphere.io>
Committed: Wed Feb 15 00:43:05 2017 -0800
----------------------------------------------------------------------
src/authorizer/local/authorizer.cpp | 13 +++++++++++--
src/master/master.cpp | 27 +++++++++++++++++++++------
2 files changed, 32 insertions(+), 8 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/69ba4ac8/src/authorizer/local/authorizer.cpp
----------------------------------------------------------------------
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index b98e1fc..2227b24 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -37,8 +37,9 @@
#include <stout/try.hpp>
#include <stout/unreachable.hpp>
-#include "common/parse.hpp"
#include "common/http.hpp"
+#include "common/parse.hpp"
+#include "common/protobuf_utils.hpp"
using process::dispatch;
using process::Failure;
@@ -234,8 +235,16 @@ public:
case authorization::REGISTER_FRAMEWORK: {
aclObject.set_type(mesos::ACL::Entity::SOME);
if (object->framework_info) {
- aclObject.add_values(object->framework_info->role());
+ foreach (
+ const string& role,
+ protobuf::framework::getRoles(*object->framework_info)) {
+ aclObject.add_values(role);
+ }
} else if (object->value) {
+ // We also update the deprecated `value` field to support custom
+ // authorizers not yet modified to examine `framework_info`.
+ //
+ // TODO(bbannier): Clean up use of `value` here, see MESOS-7091.
aclObject.add_values(*(object->value));
} else {
aclObject.set_type(mesos::ACL::Entity::ANY);
http://git-wip-us.apache.org/repos/asf/mesos/blob/69ba4ac8/src/master/master.cpp
----------------------------------------------------------------------
diff --git a/src/master/master.cpp b/src/master/master.cpp
index dff320a..ae4f772 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -2158,7 +2158,8 @@ Future<bool> Master::authorizeFramework(
}
LOG(INFO) << "Authorizing framework principal '" << frameworkInfo.principal()
- << "' to receive offers for role '" << frameworkInfo.role() << "'";
+ << "' to receive offers for roles '"
+ << stringify(protobuf::framework::getRoles(frameworkInfo)) << "'";
authorization::Request request;
request.set_action(authorization::REGISTER_FRAMEWORK);
@@ -2168,7 +2169,19 @@ Future<bool> Master::authorizeFramework(
}
request.mutable_object()->mutable_framework_info()->CopyFrom(frameworkInfo);
- request.mutable_object()->set_value(frameworkInfo.role());
+
+ // For non-`MULTI_ROLE` frameworks, also propagate its single role
+ // via the request's `value` field. This is purely for backwards
+ // compatibility as the `value` field is deprecated. Note that this
+ // means that authorizers relying on the deprecated field will see
+ // an empty string in `value` for for `MULTI_ROLE` frameworks.
+ //
+ // TODO(bbannier): Remove this at the end of `value`'s deprecation
+ // cycle, see MESOS-7073.
+ if (!protobuf::frameworkHasCapability(
+ frameworkInfo, FrameworkInfo::Capability::MULTI_ROLE)) {
+ request.mutable_object()->set_value(frameworkInfo.role());
+ }
return authorizer.get()->authorized(request);
}
@@ -2558,8 +2571,9 @@ void Master::_subscribe(
authorizationError =
Error("Authorization failure: " + authorized.failure());
} else if (!authorized.get()) {
- authorizationError =
- Error("Not authorized to use role '" + frameworkInfo.role() + "'");
+ authorizationError = Error(
+ "Not authorized to use roles '" +
+ stringify(protobuf::framework::getRoles(frameworkInfo)) + "'");
}
if (authorizationError.isSome()) {
@@ -2821,8 +2835,9 @@ void Master::_subscribe(
authorizationError =
Error("Authorization failure: " + authorized.failure());
} else if (!authorized.get()) {
- authorizationError =
- Error("Not authorized to use role '" + frameworkInfo.role() + "'");
+ authorizationError = Error(
+ "Not authorized to use roles '" +
+ stringify(protobuf::framework::getRoles(frameworkInfo)) + "'");
}
if (authorizationError.isSome()) {