You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ti...@apache.org on 2018/12/17 14:53:21 UTC
[mesos] 01/01: Refactored createAuthorizationCallbacks into
common/authorization.
This is an automated email from the ASF dual-hosted git repository.
tillt pushed a commit to branch ci/till/69405
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit c8639b243293261c99992fe1cf4835138d9aed05
Author: Till Toenshoff <to...@me.com>
AuthorDate: Mon Dec 17 15:27:09 2018 +0100
Refactored createAuthorizationCallbacks into common/authorization.
Moves 'createAuthorizationCallbacks' out of common/http into
common/authorization.
Review: https://reviews.apache.org/r/69405/
---
src/authorizer/local/authorizer.cpp | 3 +-
src/common/authorization.cpp | 59 +++++++++++++++++++++++++++++++++++++
src/common/authorization.hpp | 6 ++++
src/common/http.cpp | 54 +--------------------------------
src/common/http.hpp | 5 ----
src/master/main.cpp | 3 +-
src/slave/main.cpp | 3 +-
src/tests/cluster.cpp | 5 ++--
src/tests/logging_tests.cpp | 3 +-
9 files changed, 77 insertions(+), 64 deletions(-)
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index 83944b9..85e18b9 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -38,6 +38,7 @@
#include <stout/try.hpp>
#include <stout/unreachable.hpp>
+#include "common/authorization.hpp"
#include "common/http.hpp"
#include "common/parse.hpp"
#include "common/protobuf_utils.hpp"
@@ -1677,7 +1678,7 @@ Option<Error> LocalAuthorizer::validate(const ACLs& acls)
foreach (const ACL::GetEndpoint& acl, acls.get_endpoints()) {
if (acl.paths().type() == ACL::Entity::SOME) {
foreach (const string& path, acl.paths().values()) {
- if (!AUTHORIZABLE_ENDPOINTS.contains(path)) {
+ if (!authorization::AUTHORIZABLE_ENDPOINTS.contains(path)) {
return Error("Path: '" + path + "' is not an authorizable path");
}
}
diff --git a/src/common/authorization.cpp b/src/common/authorization.cpp
index fa0c0e8..8948721 100644
--- a/src/common/authorization.cpp
+++ b/src/common/authorization.cpp
@@ -17,25 +17,41 @@
#include "common/authorization.hpp"
#include <algorithm>
+#include <functional>
#include <string>
+#include <utility>
#include <mesos/mesos.hpp>
#include <process/collect.hpp>
#include <stout/foreach.hpp>
+#include <stout/hashmap.hpp>
#include <stout/none.hpp>
+#include <stout/stringify.hpp>
using std::string;
using std::vector;
+using process::Failure;
using process::Future;
+using process::http::authorization::AuthorizationCallbacks;
using process::http::authentication::Principal;
namespace mesos {
namespace authorization {
+// Set of endpoint whose access is protected with the authorization
+// action `GET_ENDPOINTS_WITH_PATH`.
+hashset<string> AUTHORIZABLE_ENDPOINTS{
+ "/containers",
+ "/files/debug",
+ "/logging/toggle",
+ "/metrics/snapshot",
+ "/monitor/statistics"};
+
+
Future<bool> collectAuthorizations(const vector<Future<bool>>& authorizations)
{
return process::collect(authorizations)
@@ -86,5 +102,48 @@ Future<bool> authorizeLogAccess(
return authorizer.get()->authorized(request);
}
+
+const AuthorizationCallbacks createAuthorizationCallbacks(
+ Authorizer* authorizer)
+{
+ typedef lambda::function<Future<bool>(
+ const process::http::Request& httpRequest,
+ const Option<Principal>& principal)> Callback;
+
+ AuthorizationCallbacks callbacks;
+
+ Callback getEndpoint = [authorizer](
+ const process::http::Request& httpRequest,
+ const Option<Principal>& principal) -> Future<bool> {
+ const string path = httpRequest.url.path;
+
+ if (!AUTHORIZABLE_ENDPOINTS.contains(path)) {
+ return Failure(
+ "Endpoint '" + path + "' is not an authorizable endpoint");
+ }
+
+ Request authorizationRequest;
+ authorizationRequest.set_action(GET_ENDPOINT_WITH_PATH);
+
+ Option<Subject> subject = createSubject(principal);
+ if (subject.isSome()) {
+ authorizationRequest.mutable_subject()->CopyFrom(subject.get());
+ }
+
+ authorizationRequest.mutable_object()->set_value(path);
+
+ LOG(INFO) << "Authorizing principal '"
+ << (principal.isSome() ? stringify(principal.get()) : "ANY")
+ << "' to GET the endpoint '" << path << "'";
+
+ return authorizer->authorized(authorizationRequest);
+ };
+
+ callbacks.insert(std::make_pair("/logging/toggle", getEndpoint));
+ callbacks.insert(std::make_pair("/metrics/snapshot", getEndpoint));
+
+ return callbacks;
+}
+
} // namespace authorization {
} // namespace mesos {
diff --git a/src/common/authorization.hpp b/src/common/authorization.hpp
index fb73f30..565d5ca 100644
--- a/src/common/authorization.hpp
+++ b/src/common/authorization.hpp
@@ -26,11 +26,14 @@
#include <process/future.hpp>
#include <process/http.hpp>
+#include <stout/hashset.hpp>
#include <stout/option.hpp>
namespace mesos {
namespace authorization {
+extern hashset<std::string> AUTHORIZABLE_ENDPOINTS;
+
// Collects authorization results. Any discarded or failed future
// results in a failure; any false future results in 'false'.
process::Future<bool> collectAuthorizations(
@@ -47,6 +50,9 @@ process::Future<bool> authorizeLogAccess(
const Option<Authorizer*>& authorizer,
const Option<process::http::authentication::Principal>& principal);
+const process::http::authorization::AuthorizationCallbacks
+ createAuthorizationCallbacks(Authorizer* authorizer);
+
} // namespace authorization {
} // namespace mesos {
diff --git a/src/common/http.cpp b/src/common/http.cpp
index 2be94b2..dcf3cb0 100644
--- a/src/common/http.cpp
+++ b/src/common/http.cpp
@@ -96,16 +96,6 @@ ostream& operator<<(ostream& stream, ContentType contentType)
namespace internal {
-// Set of endpoint whose access is protected with the authorization
-// action `GET_ENDPOINTS_WITH_PATH`.
-hashset<string> AUTHORIZABLE_ENDPOINTS{
- "/containers",
- "/files/debug",
- "/logging/toggle",
- "/metrics/snapshot",
- "/monitor/statistics"};
-
-
string serialize(
ContentType contentType,
const google::protobuf::Message& message)
@@ -877,48 +867,6 @@ static void json(JSON::StringWriter* writer, const Value::Text& text)
writer->set(text.value());
}
-const AuthorizationCallbacks createAuthorizationCallbacks(
- Authorizer* authorizer)
-{
- typedef lambda::function<process::Future<bool>(
- const process::http::Request& httpRequest,
- const Option<Principal>& principal)> Callback;
-
- AuthorizationCallbacks callbacks;
-
- Callback getEndpoint = [authorizer](
- const process::http::Request& httpRequest,
- const Option<Principal>& principal) -> process::Future<bool> {
- const string path = httpRequest.url.path;
-
- if (!internal::AUTHORIZABLE_ENDPOINTS.contains(path)) {
- return Failure(
- "Endpoint '" + path + "' is not an authorizable endpoint.");
- }
-
- authorization::Request authRequest;
- authRequest.set_action(mesos::authorization::GET_ENDPOINT_WITH_PATH);
-
- Option<authorization::Subject> subject =
- authorization::createSubject(principal);
- if (subject.isSome()) {
- authRequest.mutable_subject()->CopyFrom(subject.get());
- }
-
- authRequest.mutable_object()->set_value(path);
-
- LOG(INFO) << "Authorizing principal '"
- << (principal.isSome() ? stringify(principal.get()) : "ANY")
- << "' to GET the endpoint '" << path << "'";
-
- return authorizer->authorized(authRequest);
- };
-
- callbacks.insert(std::make_pair("/logging/toggle", getEndpoint));
- callbacks.insert(std::make_pair("/metrics/snapshot", getEndpoint));
-
- return callbacks;
-}
Future<Owned<ObjectApprovers>> ObjectApprovers::create(
const Option<Authorizer*>& authorizer,
@@ -978,7 +926,7 @@ process::Future<bool> authorizeEndpoint(
return Failure("Unexpected request method '" + method + "'");
}
- if (!internal::AUTHORIZABLE_ENDPOINTS.contains(endpoint)) {
+ if (!authorization::AUTHORIZABLE_ENDPOINTS.contains(endpoint)) {
return Failure(
"Endpoint '" + endpoint + "' is not an authorizable endpoint.");
}
diff --git a/src/common/http.hpp b/src/common/http.hpp
index a11ce3c..a0f9b67 100644
--- a/src/common/http.hpp
+++ b/src/common/http.hpp
@@ -81,8 +81,6 @@ constexpr char DEFAULT_BASIC_HTTP_AUTHENTICATEE[] = "basic";
// Name of the default, JWT authenticator.
constexpr char DEFAULT_JWT_HTTP_AUTHENTICATOR[] = "jwt";
-extern hashset<std::string> AUTHORIZABLE_ENDPOINTS;
-
// Contains the media types corresponding to some of the "Content-*",
// "Accept-*" and "Message-*" prefixed request headers in our internal
@@ -218,9 +216,6 @@ void json(
void json(JSON::ObjectWriter* writer, const Task& task);
void json(JSON::ObjectWriter* writer, const TaskStatus& status);
-const process::http::authorization::AuthorizationCallbacks
- createAuthorizationCallbacks(Authorizer* authorizer);
-
// Implementation of the `ObjectApprover` interface authorizing all objects.
class AcceptingObjectApprover : public ObjectApprover
diff --git a/src/master/main.cpp b/src/master/main.cpp
index 2c7b1bb..eeda534 100644
--- a/src/master/main.cpp
+++ b/src/master/main.cpp
@@ -59,6 +59,7 @@
#include <stout/try.hpp>
#include <stout/version.hpp>
+#include "common/authorization.hpp"
#include "common/build.hpp"
#include "common/http.hpp"
#include "common/protobuf_utils.hpp"
@@ -480,7 +481,7 @@ int main(int argc, char** argv)
// future it becomes possible to dynamically set the authorizer, this would
// break.
process::http::authorization::setCallbacks(
- createAuthorizationCallbacks(authorizer_.get()));
+ mesos::authorization::createAuthorizationCallbacks(authorizer_.get()));
}
Files files(READONLY_HTTP_AUTHENTICATION_REALM, authorizer_);
diff --git a/src/slave/main.cpp b/src/slave/main.cpp
index e774092..d1ce454 100644
--- a/src/slave/main.cpp
+++ b/src/slave/main.cpp
@@ -56,6 +56,7 @@
#include "authentication/executor/jwt_secret_generator.hpp"
#endif // USE_SSL_SOCKET
+#include "common/authorization.hpp"
#include "common/build.hpp"
#include "common/http.hpp"
@@ -527,7 +528,7 @@ int main(int argc, char** argv)
// future it becomes possible to dynamically set the authorizer, this would
// break.
process::http::authorization::setCallbacks(
- createAuthorizationCallbacks(authorizer_.get()));
+ mesos::authorization::createAuthorizationCallbacks(authorizer_.get()));
}
Files* files = new Files(READONLY_HTTP_AUTHENTICATION_REALM, authorizer_);
diff --git a/src/tests/cluster.cpp b/src/tests/cluster.cpp
index 2b351ca..4ad7c0b 100644
--- a/src/tests/cluster.cpp
+++ b/src/tests/cluster.cpp
@@ -70,6 +70,7 @@
#include "authorizer/local/authorizer.hpp"
+#include "common/authorization.hpp"
#include "common/http.hpp"
#include "files/files.hpp"
@@ -395,7 +396,7 @@ MasterInfo Master::getMasterInfo()
void Master::setAuthorizationCallbacks(Authorizer* authorizer)
{
process::http::authorization::setCallbacks(
- mesos::createAuthorizationCallbacks(authorizer));
+ authorization::createAuthorizationCallbacks(authorizer));
authorizationCallbacksSet = true;
}
@@ -703,7 +704,7 @@ Slave::~Slave()
void Slave::setAuthorizationCallbacks(Authorizer* authorizer)
{
process::http::authorization::setCallbacks(
- mesos::createAuthorizationCallbacks(authorizer));
+ authorization::createAuthorizationCallbacks(authorizer));
authorizationCallbacksSet = true;
}
diff --git a/src/tests/logging_tests.cpp b/src/tests/logging_tests.cpp
index 30bcdc7..e841ada 100644
--- a/src/tests/logging_tests.cpp
+++ b/src/tests/logging_tests.cpp
@@ -26,6 +26,7 @@
#include <process/pid.hpp>
#include <process/process.hpp>
+#include "common/authorization.hpp"
#include "common/http.hpp"
#include "logging/logging.hpp"
@@ -183,7 +184,7 @@ TEST_F(LoggingTest, ToggleAuthorizationEnabled)
// Set authorization callbacks for libprocess-level HTTP endpoints.
process::http::authorization::setCallbacks(
- createAuthorizationCallbacks(authorizer.get()));
+ authorization::createAuthorizationCallbacks(authorizer.get()));
process::PID<> pid;
pid.id = "logging";