You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@mesos.apache.org by vi...@apache.org on 2017/04/13 22:44:40 UTC

[1/2] mesos git commit: Changed '--executor_secret_key' agent flag to accept a path.

Repository: mesos
Updated Branches:
  refs/heads/master f73f29bd3 -> 8bbe70041


Changed '--executor_secret_key' agent flag to accept a path.

This patch changes the agent flag '--executor_secret_key' to accept
a path, so that the secret will not be leaked in logs.

Review: https://reviews.apache.org/r/58327/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/0b7a4010
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/0b7a4010
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/0b7a4010

Branch: refs/heads/master
Commit: 0b7a40102a33ab46c2794963d9a0133b9e76b880
Parents: f73f29b
Author: Greg Mann <gr...@mesosphere.io>
Authored: Thu Apr 13 15:44:19 2017 -0700
Committer: Vinod Kone <vi...@gmail.com>
Committed: Thu Apr 13 15:44:19 2017 -0700

----------------------------------------------------------------------
 docs/configuration.md |  5 +++--
 src/slave/flags.cpp   |  5 +++--
 src/slave/flags.hpp   |  2 +-
 src/slave/slave.cpp   | 24 +++++++++++++++++++++++-
 4 files changed, 30 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/0b7a4010/docs/configuration.md
----------------------------------------------------------------------
diff --git a/docs/configuration.md b/docs/configuration.md
index 452478e..159f946 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -1418,8 +1418,9 @@ in memory. (default: 150)
     --executor_secret_key=VALUE
   </td>
   <td>
-The key used when generating executor secrets. This flag is only
-available when Mesos is built with SSL support.
+Path to a file containing the key used when generating executor
+secrets. This flag is only available when Mesos is built with SSL
+support.
   </td>
 </tr>
 <tr>

http://git-wip-us.apache.org/repos/asf/mesos/blob/0b7a4010/src/slave/flags.cpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp
index 9365da2..c50e43c 100644
--- a/src/slave/flags.cpp
+++ b/src/slave/flags.cpp
@@ -345,8 +345,9 @@ mesos::internal::slave::Flags::Flags()
 #ifdef USE_SSL_SOCKET
   add(&Flags::executor_secret_key,
       "executor_secret_key",
-      "The key used when generating executor secrets. This flag is only\n"
-      "available when Mesos is built with SSL support.");
+      "Path to a file containing the key used when generating executor\n"
+      "secrets. This flag is only available when Mesos is built with SSL\n"
+      "support.");
 #endif // USE_SSL_SOCKET
 
   add(&Flags::gc_delay,

http://git-wip-us.apache.org/repos/asf/mesos/blob/0b7a4010/src/slave/flags.hpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp
index 171f67e..c7a4604 100644
--- a/src/slave/flags.hpp
+++ b/src/slave/flags.hpp
@@ -79,7 +79,7 @@ public:
   Duration executor_registration_timeout;
   Duration executor_shutdown_grace_period;
 #ifdef USE_SSL_SOCKET
-  Option<std::string> executor_secret_key;
+  Option<Path> executor_secret_key;
 #endif // USE_SSL_SOCKET
   Duration gc_delay;
   double gc_disk_headroom;

http://git-wip-us.apache.org/repos/asf/mesos/blob/0b7a4010/src/slave/slave.cpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.cpp b/src/slave/slave.cpp
index f013e9c..3ad4ce4 100644
--- a/src/slave/slave.cpp
+++ b/src/slave/slave.cpp
@@ -291,7 +291,29 @@ void Slave::initialize()
   Option<string> secretKey;
 #ifdef USE_SSL_SOCKET
   if (flags.executor_secret_key.isSome()) {
-    secretKey = flags.executor_secret_key.get();
+    Try<string> secretKey_ = os::read(flags.executor_secret_key.get());
+
+    if (secretKey_.isError()) {
+      EXIT(EXIT_FAILURE) << "Failed to read the file specified by "
+                         << "--executor_secret_key";
+    }
+
+    // TODO(greggomann): Factor the following code out into a common helper,
+    // since we also do this when loading credentials.
+    Try<os::Permissions> permissions =
+      os::permissions(flags.executor_secret_key.get());
+    if (permissions.isError()) {
+      LOG(WARNING) << "Failed to stat executor secret key file '"
+                   << flags.executor_secret_key.get()
+                   << "': " << permissions.error();
+    } else if (permissions.get().others.rwx) {
+      LOG(WARNING) << "Permissions on executor secret key file '"
+                   << flags.executor_secret_key.get()
+                   << "' are too open; it is recommended that your"
+                   << " key file is NOT accessible by others";
+    }
+
+    secretKey = secretKey_.get();
     secretGenerator = new JWTSecretGenerator(secretKey.get());
   }

[2/2] mesos git commit: Updated tests to set '--executor_secret_key' as a path.

Posted by vi...@apache.org.

Updated tests to set '--executor_secret_key' as a path.

This patch updates the test code to generate a secret key file
and set the agent '--executor_secret_key' flag with its path.

Review: https://reviews.apache.org/r/58328/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/8bbe7004
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/8bbe7004
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/8bbe7004

Branch: refs/heads/master
Commit: 8bbe700411298b7b17219f9521820b9dcc7ef2c8
Parents: 0b7a401
Author: Greg Mann <gr...@mesosphere.io>
Authored: Thu Apr 13 15:44:28 2017 -0700
Committer: Vinod Kone <vi...@gmail.com>
Committed: Thu Apr 13 15:44:28 2017 -0700

----------------------------------------------------------------------
 src/tests/mesos.cpp | 20 +++++++++++++++++++-
 src/tests/mesos.hpp |  5 +++++
 2 files changed, 24 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/8bbe7004/src/tests/mesos.cpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.cpp b/src/tests/mesos.cpp
index 099ec37..27cfcab 100644
--- a/src/tests/mesos.cpp
+++ b/src/tests/mesos.cpp
@@ -212,7 +212,25 @@ slave::Flags MesosTest::CreateSlaveFlags()
   // Executor authentication currently has SSL as a dependency, so we
   // cannot enable it if Mesos was not built with SSL support.
   flags.authenticate_http_executors = true;
-  flags.executor_secret_key = "secret_key";
+
+  {
+    // Create a secret key for executor authentication.
+    const string path = path::join(directory.get(), "executor_secret_key");
+
+    Try<int_fd> fd = os::open(
+        path,
+        O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC,
+        S_IRUSR | S_IWUSR | S_IRGRP);
+
+    CHECK_SOME(fd);
+
+    CHECK_SOME(os::write(fd.get(), DEFAULT_EXECUTOR_SECRET_KEY))
+      << "Failed to write executor secret key to '" << path << "'";
+
+    CHECK_SOME(os::close(fd.get()));
+
+    flags.executor_secret_key = path;
+  }
 #endif // USE_SSL_SOCKET
 
   {

http://git-wip-us.apache.org/repos/asf/mesos/blob/8bbe7004/src/tests/mesos.hpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.hpp b/src/tests/mesos.hpp
index fe897c1..3cff0e7 100644
--- a/src/tests/mesos.hpp
+++ b/src/tests/mesos.hpp
@@ -99,6 +99,11 @@ namespace tests {
 constexpr char READONLY_HTTP_AUTHENTICATION_REALM[] = "test-readonly-realm";
 constexpr char READWRITE_HTTP_AUTHENTICATION_REALM[] = "test-readwrite-realm";
 constexpr char DEFAULT_TEST_ROLE[] = "default-role";
+constexpr char DEFAULT_EXECUTOR_SECRET_KEY[] =
+  "72kUKUFtghAjNbIOvLzfF2RxNBfeM64Bri8g9WhpyaunwqRB/yozHAqSnyHbddAV"
+  "PcWRQlrJAt871oWgSH+n52vMZ3aVI+AFMzXSo8+sUfMk83IGp0WJefhzeQsjDlGH"
+  "GYQgCAuGim0BE2X5U+lEue8s697uQpAO8L/FFRuDH2s";
+
 
 // Forward declarations.
 class MockExecutor;