You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by bb...@apache.org on 2018/09/03 12:58:41 UTC
[mesos] 04/06: Added actions and ACLs to authorize removal of
resource providers.
This is an automated email from the ASF dual-hosted git repository.
bbannier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit f83b31867c86e35f38fd538993138768939291f0
Author: Benjamin Bannier <be...@mesosphere.io>
AuthorDate: Mon Aug 13 11:11:04 2018 +0200
Added actions and ACLs to authorize removal of resource providers.
Review: https://reviews.apache.org/r/68146/
---
include/mesos/authorizer/acls.proto | 13 ++++++-
include/mesos/authorizer/authorizer.proto | 12 ++++---
src/authorizer/local/authorizer.cpp | 45 +++++++++++++++++------
src/tests/authorization_tests.cpp | 60 +++++++++++++++++++++++++++++++
4 files changed, 114 insertions(+), 16 deletions(-)
diff --git a/include/mesos/authorizer/acls.proto b/include/mesos/authorizer/acls.proto
index f5d2580..4c3f290 100644
--- a/include/mesos/authorizer/acls.proto
+++ b/include/mesos/authorizer/acls.proto
@@ -494,6 +494,16 @@ message ACL {
required Entity users = 2;
}
+ // Which principals are authorized to mark resource providers as gone.
+ message MarkResourceProvidersGone {
+ // Subjects: HTTP Username.
+ required Entity principals = 1;
+
+ // Objects: Given implicitly.
+ // Use Entity type ANY or NONE to allow or deny access.
+ required Entity resource_providers = 2;
+ }
+
// Which principals are authorized to add, update and remove resource
// provider config files.
message ModifyResourceProviderConfig {
@@ -643,11 +653,12 @@ message ACLs {
repeated ACL.RemoveStandaloneContainer remove_standalone_containers = 44;
repeated ACL.ViewStandaloneContainer view_standalone_containers = 46;
repeated ACL.ModifyResourceProviderConfig modify_resource_provider_configs = 45;
+ repeated ACL.MarkResourceProvidersGone mark_resource_providers_gone = 54;
+ repeated ACL.ViewResourceProvider view_resource_providers = 53;
repeated ACL.PruneImages prune_images = 47;
repeated ACL.ResizeVolume resize_volumes = 48;
repeated ACL.CreateBlockDisk create_block_disks = 49;
repeated ACL.DestroyBlockDisk destroy_block_disks = 50;
repeated ACL.CreateMountDisk create_mount_disks = 51;
repeated ACL.DestroyMountDisk destroy_mount_disks = 52;
- repeated ACL.ViewResourceProvider view_resource_providers = 53;
}
diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto
index 7330416..a51d2f2 100644
--- a/include/mesos/authorizer/authorizer.proto
+++ b/include/mesos/authorizer/authorizer.proto
@@ -252,6 +252,14 @@ enum Action {
MODIFY_RESOURCE_PROVIDER_CONFIG = 39;
// This action will not fill in any object fields. A principal is either
+ // allowed to mark a resource provider as gone or is unauthorized.
+ MARK_RESOURCE_PROVIDER_GONE = 48;
+
+ // This action will not fill in any object fields. A principal is either
+ // allowed to view resource provider information or is unauthorized.
+ VIEW_RESOURCE_PROVIDER = 47;
+
+ // This action will not fill in any object fields. A principal is either
// allowed to prune unused container images or is unauthorized.
PRUNE_IMAGES = 41;
@@ -269,10 +277,6 @@ enum Action {
// `DESTROY_MOUNT_DISK` will have an object with `Resource` set.
DESTROY_MOUNT_DISK = 46;
-
- // This action will not fill in any object fields. A principal is either
- // allowed to view resource provider information or is unauthorized.
- VIEW_RESOURCE_PROVIDER = 47;
}
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index f99b88e..3ab1b3b 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -412,8 +412,9 @@ public:
case authorization::STOP_MAINTENANCE:
case authorization::UPDATE_MAINTENANCE_SCHEDULE:
case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
- case authorization::PRUNE_IMAGES:
+ case authorization::MARK_RESOURCE_PROVIDER_GONE:
case authorization::VIEW_RESOURCE_PROVIDER:
+ case authorization::PRUNE_IMAGES:
aclObject.set_type(ACL::Entity::ANY);
break;
@@ -732,6 +733,7 @@ public:
case authorization::WAIT_NESTED_CONTAINER:
case authorization::WAIT_STANDALONE_CONTAINER:
case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
+ case authorization::MARK_RESOURCE_PROVIDER_GONE:
case authorization::VIEW_RESOURCE_PROVIDER:
case authorization::UNKNOWN:
UNREACHABLE();
@@ -977,6 +979,7 @@ public:
case authorization::WAIT_NESTED_CONTAINER:
case authorization::WAIT_STANDALONE_CONTAINER:
case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
+ case authorization::MARK_RESOURCE_PROVIDER_GONE:
case authorization::VIEW_RESOURCE_PROVIDER:
UNREACHABLE();
}
@@ -1196,6 +1199,7 @@ public:
case authorization::WAIT_NESTED_CONTAINER:
case authorization::WAIT_STANDALONE_CONTAINER:
case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
+ case authorization::MARK_RESOURCE_PROVIDER_GONE:
case authorization::VIEW_RESOURCE_PROVIDER:
case authorization::UNKNOWN: {
Result<vector<GenericACL>> genericACLs =
@@ -1552,11 +1556,12 @@ private:
}
return acls_;
- case authorization::PRUNE_IMAGES:
- foreach (const ACL::PruneImages& acl, acls.prune_images()) {
+ case authorization::MARK_RESOURCE_PROVIDER_GONE:
+ foreach (const ACL::MarkResourceProvidersGone& acl,
+ acls.mark_resource_providers_gone()) {
GenericACL acl_;
acl_.subjects = acl.principals();
- acl_.objects = acl.images();
+ acl_.objects = acl.resource_providers();
acls_.push_back(acl_);
}
@@ -1574,6 +1579,16 @@ private:
}
return acls_;
+ case authorization::PRUNE_IMAGES:
+ foreach (const ACL::PruneImages& acl, acls.prune_images()) {
+ GenericACL acl_;
+ acl_.subjects = acl.principals();
+ acl_.objects = acl.images();
+
+ acls_.push_back(acl_);
+ }
+
+ return acls_;
case authorization::REGISTER_FRAMEWORK:
case authorization::CREATE_VOLUME:
case authorization::RESIZE_VOLUME:
@@ -1749,6 +1764,21 @@ Option<Error> LocalAuthorizer::validate(const ACLs& acls)
}
}
+ foreach (const ACL::MarkResourceProvidersGone& acl,
+ acls.mark_resource_providers_gone()) {
+ if (acl.resource_providers().type() == ACL::Entity::SOME) {
+ return Error(
+ "ACL.MarkResourceProvidersGone type must be either NONE or ANY");
+ }
+ }
+
+ foreach (const ACL::ViewResourceProvider& acl,
+ acls.view_resource_providers()) {
+ if (acl.resource_providers().type() == ACL::Entity::SOME) {
+ return Error("ACL.ViewResourceProvider type must be either NONE or ANY");
+ }
+ }
+
foreach (const ACL::ModifyResourceProviderConfig& acl,
acls.modify_resource_provider_configs()) {
if (acl.resource_providers().type() == ACL::Entity::SOME) {
@@ -1763,13 +1793,6 @@ Option<Error> LocalAuthorizer::validate(const ACLs& acls)
}
}
- foreach (const ACL::ViewResourceProvider& acl,
- acls.view_resource_providers()) {
- if (acl.resource_providers().type() == ACL::Entity::SOME) {
- return Error("ACL.ViewResourceProvider type must be either NONE or ANY");
- }
- }
-
// TODO(alexr): Consider validating not only protobuf, but also the original
// JSON in order to spot misspelled names. A misspelled action may affect
// authorization result and hence lead to a security issue (e.g. when there
diff --git a/src/tests/authorization_tests.cpp b/src/tests/authorization_tests.cpp
index de57fc9..ac52181 100644
--- a/src/tests/authorization_tests.cpp
+++ b/src/tests/authorization_tests.cpp
@@ -5783,6 +5783,66 @@ TYPED_TEST(AuthorizationTest, ViewStandaloneContainer)
}
+// This tests the authorization of requests to MarkResourceProviderGone.
+TYPED_TEST(AuthorizationTest, MarkResourceProviderGone)
+{
+ ACLs acls;
+
+ {
+ // "foo" principal can mark resource providers gone.
+ mesos::ACL::MarkResourceProvidersGone* acl =
+ acls.add_mark_resource_providers_gone();
+ acl->mutable_principals()->add_values("foo");
+ acl->mutable_resource_providers()->set_type(mesos::ACL::Entity::ANY);
+ }
+
+ {
+ // Nobody else can mark resource providers gone.
+ mesos::ACL::MarkResourceProvidersGone* acl =
+ acls.add_mark_resource_providers_gone();
+ acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
+ acl->mutable_resource_providers()->set_type(mesos::ACL::Entity::NONE);
+ }
+
+ Try<Authorizer*> create = TypeParam::create(parameterize(acls));
+ ASSERT_SOME(create);
+ Owned<Authorizer> authorizer(create.get());
+
+ {
+ // "foo" is allowed to mark resource providers gone. The request
+ // should succeed.
+ authorization::Request request;
+ request.set_action(authorization::MARK_RESOURCE_PROVIDER_GONE);
+ request.mutable_subject()->set_value("foo");
+
+ AWAIT_EXPECT_TRUE(authorizer->authorized(request));
+ }
+
+ {
+ // "bar" is not allowed to mark resource provider gone. The
+ // request should fail.
+ authorization::Request request;
+ request.set_action(authorization::MARK_RESOURCE_PROVIDER_GONE);
+ request.mutable_subject()->set_value("bar");
+
+ AWAIT_EXPECT_FALSE(authorizer->authorized(request));
+ }
+
+ {
+ // Test that no authorizer is created with invalid ACLs.
+ ACLs invalid;
+
+ mesos::ACL::MarkResourceProvidersGone* acl =
+ invalid.add_mark_resource_providers_gone();
+ acl->mutable_principals()->add_values("foo");
+ acl->mutable_resource_providers()->add_values("yoda");
+
+ Try<Authorizer*> create = TypeParam::create(parameterize(invalid));
+ EXPECT_ERROR(create);
+ }
+}
+
+
// This tests the authorization of requests to ModifyResourceProviderConfig.
TYPED_TEST(AuthorizationTest, ModifyResourceProviderConfig)
{