You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by me...@apache.org on 2016/04/25 19:14:59 UTC
[4/4] mesos git commit: Added agent authorization flags.
Added agent authorization flags.
Review: https://reviews.apache.org/r/45922/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/a3da5811
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/a3da5811
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/a3da5811
Branch: refs/heads/master
Commit: a3da5811e0de83373f6ef5d98fbe9f72e65de046
Parents: cff6eea
Author: Jan Schlicht <ja...@mesosphere.io>
Authored: Mon Apr 25 03:57:31 2016 -0700
Committer: Adam B <ad...@mesosphere.io>
Committed: Mon Apr 25 10:14:25 2016 -0700
----------------------------------------------------------------------
docs/configuration.md | 32 ++++++++++++++++++++++++++++++++
src/local/local.cpp | 3 ++-
src/slave/constants.hpp | 3 +++
src/slave/flags.cpp | 25 +++++++++++++++++++++++++
src/slave/flags.hpp | 2 ++
src/slave/main.cpp | 36 +++++++++++++++++++++++++++++++++++-
src/slave/slave.cpp | 6 ++++--
src/slave/slave.hpp | 9 ++++++++-
src/tests/cluster.cpp | 36 ++++++++++++++++++++++++++++++++++--
src/tests/cluster.hpp | 4 +++-
src/tests/mesos.cpp | 9 +++++++--
src/tests/mesos.hpp | 3 ++-
12 files changed, 157 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/docs/configuration.md
----------------------------------------------------------------------
diff --git a/docs/configuration.md b/docs/configuration.md
index 86ba66a..318275f 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -878,6 +878,23 @@ May be one of:
</thead>
<tr>
<td>
+ --acls=VALUE
+ </td>
+ <td>
+The value could be a JSON-formatted string of ACLs
+or a file path containing the JSON-formatted ACLs used
+for authorization. Path could be of the form <code>file:///path/to/file</code>
+or <code>/path/to/file</code>.
+<p/>
+Note that if the <code>--authorizer</code> flag is provided with a value
+other than <code>local</code>, the ACLs contents will be
+ignored.
+<p/>
+See the ACLs protobuf in acls.proto for the expected format.
+ </td>
+</tr>
+<tr>
+ <td>
--appc_store_dir=VALUE
</td>
<td>
@@ -906,6 +923,21 @@ load an alternate authenticatee module using <code>--modules</code>. (default: c
</tr>
<tr>
<td>
+ --authorizer=VALUE
+ </td>
+ <td>
+Authorizer implementation to use when authorizing actions that
+require it.
+Use the default <code>local</code>, or
+load an alternate authorizer module using <code>--modules</code>.
+<p/>
+Note that if the <code>--authorizer</code> flag is provided with a value
+other than the default <code>local</code>, the ACLs
+passed through the <code>--acls</code> flag will be ignored.
+ </td>
+</tr>
+<tr>
+ <td>
--[no]-cgroups_cpu_enable_pids_and_tids_count
</td>
<td>
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/local/local.cpp
----------------------------------------------------------------------
diff --git a/src/local/local.cpp b/src/local/local.cpp
index 7de8a24..1c679ec 100644
--- a/src/local/local.cpp
+++ b/src/local/local.cpp
@@ -401,7 +401,8 @@ PID<Master> launch(const Flags& flags, Allocator* _allocator)
garbageCollectors->back(),
statusUpdateManagers->back(),
resourceEstimators->back(),
- qosControllers->back());
+ qosControllers->back(),
+ authorizer_); // Same authorizer as master.
slaves[containerizer.get()] = slave;
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/slave/constants.hpp
----------------------------------------------------------------------
diff --git a/src/slave/constants.hpp b/src/slave/constants.hpp
index 9978c11..c24167f 100644
--- a/src/slave/constants.hpp
+++ b/src/slave/constants.hpp
@@ -114,6 +114,9 @@ constexpr Duration DOCKER_FORCE_KILL_TIMEOUT = Seconds(1);
// Name of the default, CRAM-MD5 authenticatee.
constexpr char DEFAULT_AUTHENTICATEE[] = "crammd5";
+// Name of the default, local authorizer.
+constexpr char DEFAULT_AUTHORIZER[] = "local";
+
// Name of the default HTTP authenticator.
constexpr char DEFAULT_HTTP_AUTHENTICATOR[] = "basic";
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/slave/flags.cpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp
index 10d2974..a319d60 100644
--- a/src/slave/flags.cpp
+++ b/src/slave/flags.cpp
@@ -443,6 +443,19 @@ mesos::internal::slave::Flags::Flags()
" \"secret\": \"secret\"\n"
"}");
+ add(&Flags::acls,
+ "acls",
+ "The value could be a JSON-formatted string of ACLs\n"
+ "or a file path containing the JSON-formatted ACLs used\n"
+ "for authorization. Path could be of the form `file:///path/to/file`\n"
+ "or `/path/to/file`.\n"
+ "\n"
+ "Note that if the `--authorizer` flag is provided with a value\n"
+ "other than `" + string(DEFAULT_AUTHORIZER) + "`, the ACLs contents\n"
+ "will be ignored.\n"
+ "\n"
+ "See the ACLs protobuf in acls.proto for the expected format.");
+
add(&Flags::containerizer_path,
"containerizer_path",
"The path to the external containerizer executable used when\n"
@@ -710,6 +723,18 @@ mesos::internal::slave::Flags::Flags()
"load an alternate authenticatee module using `--modules`.",
DEFAULT_AUTHENTICATEE);
+ add(&Flags::authorizer,
+ "authorizer",
+ "Authorizer implementation to use when authorizing actions that\n"
+ "require it.\n"
+ "Use the default `" + string(DEFAULT_AUTHORIZER) + "`, or\n"
+ "load an alternate authorizer module using `--modules`.\n"
+ "\n"
+ "Note that if the `--authorizer` flag is provided with a value\n"
+ "other than the default `" + string(DEFAULT_AUTHORIZER) + "`, the\n"
+ "ACLs passed through the `--acls` flag will be ignored.",
+ DEFAULT_AUTHORIZER);
+
add(&Flags::http_authenticators,
"http_authenticators",
"HTTP authenticator implementation to use when handling requests to\n"
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/slave/flags.hpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp
index ee520ac..4fa3213 100644
--- a/src/slave/flags.hpp
+++ b/src/slave/flags.hpp
@@ -99,6 +99,7 @@ public:
#endif
Option<Firewall> firewall_rules;
Option<Path> credential;
+ Option<ACLs> acls;
Option<std::string> containerizer_path;
std::string containerizers;
Option<std::string> default_container_image;
@@ -135,6 +136,7 @@ public:
bool enforce_container_disk_quota;
Option<Modules> modules;
std::string authenticatee;
+ std::string authorizer;
std::string http_authenticators;
bool authenticate_http;
Option<Path> http_credentials;
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/slave/main.cpp
----------------------------------------------------------------------
diff --git a/src/slave/main.cpp b/src/slave/main.cpp
index 7d84c77..3ea1453 100644
--- a/src/slave/main.cpp
+++ b/src/slave/main.cpp
@@ -19,6 +19,8 @@
#include <vector>
#include <utility>
+#include <mesos/authorizer/authorizer.hpp>
+
#include <mesos/master/detector.hpp>
#include <mesos/mesos.hpp>
@@ -71,6 +73,7 @@ using mesos::master::detector::MasterDetector;
using mesos::slave::QoSController;
using mesos::slave::ResourceEstimator;
+using mesos::Authorizer;
using mesos::SlaveInfo;
using process::Owned;
@@ -281,6 +284,32 @@ int main(int argc, char** argv)
MasterDetector* detector = detector_.get();
+ Option<Authorizer*> authorizer_ = None();
+
+ string authorizerName = flags.authorizer;
+
+ Result<Authorizer*> authorizer((None()));
+ if (authorizerName != slave::DEFAULT_AUTHORIZER) {
+ LOG(INFO) << "Creating '" << authorizerName << "' authorizer";
+
+ // NOTE: The contents of --acls will be ignored.
+ authorizer = Authorizer::create(authorizerName);
+ } else {
+ // `authorizerName` is `DEFAULT_AUTHORIZER` at this point.
+ if (flags.acls.isSome()) {
+ LOG(INFO) << "Creating default '" << authorizerName << "' authorizer";
+
+ authorizer = Authorizer::create(flags.acls.get());
+ }
+ }
+
+ if (authorizer.isError()) {
+ EXIT(EXIT_FAILURE) << "Could not create '" << authorizerName
+ << "' authorizer: " << authorizer.error();
+ } else if (authorizer.isSome()) {
+ authorizer_ = authorizer.get();
+ }
+
if (flags.firewall_rules.isSome()) {
vector<Owned<FirewallRule>> rules;
@@ -350,7 +379,8 @@ int main(int argc, char** argv)
&gc,
&statusUpdateManager,
resourceEstimator.get(),
- qosController.get());
+ qosController.get(),
+ authorizer_);
process::spawn(slave);
process::wait(slave->self());
@@ -365,5 +395,9 @@ int main(int argc, char** argv)
delete containerizer.get();
+ if (authorizer_.isSome()) {
+ delete authorizer_.get();
+ }
+
return EXIT_SUCCESS;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/slave/slave.cpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.cpp b/src/slave/slave.cpp
index ebf2606..5aa1530 100644
--- a/src/slave/slave.cpp
+++ b/src/slave/slave.cpp
@@ -134,7 +134,8 @@ Slave::Slave(const std::string& id,
GarbageCollector* _gc,
StatusUpdateManager* _statusUpdateManager,
ResourceEstimator* _resourceEstimator,
- QoSController* _qosController)
+ QoSController* _qosController,
+ const Option<Authorizer*>& _authorizer)
: ProcessBase(id),
state(RECOVERING),
flags(_flags),
@@ -155,7 +156,8 @@ Slave::Slave(const std::string& id,
reauthenticate(false),
executorDirectoryMaxAllowedAge(age(0)),
resourceEstimator(_resourceEstimator),
- qosController(_qosController) {}
+ qosController(_qosController),
+ authorizer(_authorizer) {}
Slave::~Slave()
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/slave/slave.hpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.hpp b/src/slave/slave.hpp
index 20a4bcd..57b1888 100644
--- a/src/slave/slave.hpp
+++ b/src/slave/slave.hpp
@@ -83,6 +83,10 @@
#endif // __WINDOWS__
namespace mesos {
+
+// Forward declarations.
+class Authorizer;
+
namespace internal {
namespace slave {
@@ -106,7 +110,8 @@ public:
GarbageCollector* gc,
StatusUpdateManager* statusUpdateManager,
mesos::slave::ResourceEstimator* resourceEstimator,
- mesos::slave::QoSController* qosController);
+ mesos::slave::QoSController* qosController,
+ const Option<Authorizer*>& authorizer);
virtual ~Slave();
@@ -593,6 +598,8 @@ private:
mesos::slave::QoSController* qosController;
+ const Option<Authorizer*> authorizer;
+
// The most recent estimate of the total amount of oversubscribed
// (allocated and oversubscribable) resources.
Option<Resources> oversubscribedResources;
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/tests/cluster.cpp
----------------------------------------------------------------------
diff --git a/src/tests/cluster.cpp b/src/tests/cluster.cpp
index 3e5fdf6..db72628 100644
--- a/src/tests/cluster.cpp
+++ b/src/tests/cluster.cpp
@@ -352,7 +352,8 @@ Try<process::Owned<Slave>> Slave::start(
const Option<slave::GarbageCollector*>& gc,
const Option<slave::StatusUpdateManager*>& statusUpdateManager,
const Option<mesos::slave::ResourceEstimator*>& resourceEstimator,
- const Option<mesos::slave::QoSController*>& qosController)
+ const Option<mesos::slave::QoSController*>& qosController,
+ const Option<Authorizer*>& providedAuthorizer)
{
process::Owned<Slave> slave(new Slave());
@@ -379,6 +380,36 @@ Try<process::Owned<Slave>> Slave::start(
slave->containerizer = _containerizer.get();
}
+ Option<Authorizer*> authorizer = providedAuthorizer;
+
+ // If the authorizer is not provided, create a default one.
+ if (providedAuthorizer.isNone()) {
+ std::string authorizerName = flags.authorizer;
+
+ Result<Authorizer*> createdAuthorizer((None()));
+ if (authorizerName != slave::DEFAULT_AUTHORIZER) {
+ LOG(INFO) << "Creating '" << authorizerName << "' authorizer";
+
+ // NOTE: The contents of --acls will be ignored.
+ createdAuthorizer = Authorizer::create(authorizerName);
+ } else {
+ // `authorizerName` is `DEFAULT_AUTHORIZER` at this point.
+ if (flags.acls.isSome()) {
+ LOG(INFO) << "Creating default '" << authorizerName << "' authorizer";
+
+ createdAuthorizer = Authorizer::create(flags.acls.get());
+ }
+ }
+
+ if (createdAuthorizer.isError()) {
+ EXIT(EXIT_FAILURE) << "Could not create '" << authorizerName
+ << "' authorizer: " << createdAuthorizer.error();
+ } else if (createdAuthorizer.isSome()) {
+ slave->authorizer.reset(createdAuthorizer.get());
+ authorizer = createdAuthorizer.get();
+ }
+ }
+
// If the garbage collector is not provided, create a default one.
if (gc.isNone()) {
slave->gc.reset(new slave::GarbageCollector());
@@ -425,7 +456,8 @@ Try<process::Owned<Slave>> Slave::start(
gc.getOrElse(slave->gc.get()),
statusUpdateManager.getOrElse(slave->statusUpdateManager.get()),
resourceEstimator.getOrElse(slave->resourceEstimator.get()),
- qosController.getOrElse(slave->qosController.get())));
+ qosController.getOrElse(slave->qosController.get()),
+ authorizer));
slave->pid = process::spawn(slave->slave.get());
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/tests/cluster.hpp
----------------------------------------------------------------------
diff --git a/src/tests/cluster.hpp b/src/tests/cluster.hpp
index 96ec52a..60ab3f7 100644
--- a/src/tests/cluster.hpp
+++ b/src/tests/cluster.hpp
@@ -147,7 +147,8 @@ public:
const Option<slave::StatusUpdateManager*>& statusUpdateManager = None(),
const Option<mesos::slave::ResourceEstimator*>& resourceEstimator =
None(),
- const Option<mesos::slave::QoSController*>& qosController = None());
+ const Option<mesos::slave::QoSController*>& qosController = None(),
+ const Option<Authorizer*>& authorizer = None());
~Slave();
@@ -194,6 +195,7 @@ private:
slave::Containerizer* containerizer = nullptr;
// Dependencies that are created by the factory method.
+ process::Owned<Authorizer> authorizer;
process::Owned<slave::Containerizer> ownedContainerizer;
process::Owned<slave::Fetcher> fetcher;
process::Owned<slave::GarbageCollector> gc;
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/tests/mesos.cpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.cpp b/src/tests/mesos.cpp
index b5937af..118b3b4 100644
--- a/src/tests/mesos.cpp
+++ b/src/tests/mesos.cpp
@@ -175,6 +175,9 @@ slave::Flags MesosTest::CreateSlaveFlags()
CHECK_SOME(os::close(fd.get()));
flags.credential = path;
+
+ // Set default (permissive) ACLs.
+ flags.acls = ACLs();
}
flags.authenticate_http = true;
@@ -459,7 +462,8 @@ MockSlave::MockSlave(
const slave::Flags& flags,
MasterDetector* detector,
slave::Containerizer* containerizer,
- const Option<mesos::slave::QoSController*>& _qosController)
+ const Option<mesos::slave::QoSController*>& _qosController,
+ const Option<mesos::Authorizer*>& authorizer)
: slave::Slave(
process::ID::generate("slave"),
flags,
@@ -469,7 +473,8 @@ MockSlave::MockSlave(
&gc,
statusUpdateManager = new slave::StatusUpdateManager(flags),
&resourceEstimator,
- _qosController.isSome() ? _qosController.get() : &qosController),
+ _qosController.isSome() ? _qosController.get() : &qosController,
+ authorizer),
files(slave::DEFAULT_HTTP_AUTHENTICATION_REALM)
{
// Set up default behaviors, calling the original methods.
http://git-wip-us.apache.org/repos/asf/mesos/blob/a3da5811/src/tests/mesos.hpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.hpp b/src/tests/mesos.hpp
index fce9846..aeee7ac 100644
--- a/src/tests/mesos.hpp
+++ b/src/tests/mesos.hpp
@@ -1254,7 +1254,8 @@ public:
const slave::Flags& flags,
mesos::master::detector::MasterDetector* detector,
slave::Containerizer* containerizer,
- const Option<mesos::slave::QoSController*>& qosController = None());
+ const Option<mesos::slave::QoSController*>& qosController = None(),
+ const Option<mesos::Authorizer*>& authorizer = None());
virtual ~MockSlave();