You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by as...@apache.org on 2020/03/03 07:52:49 UTC
[mesos] 02/08: Added to `ObjectApprovers` a method to approve
arbitrary action.
This is an automated email from the ASF dual-hosted git repository.
asekretenko pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 8a82df8604c552268ca22e2577dc0e03a1731bcf
Author: Andrei Sekretenko <as...@mesosphere.com>
AuthorDate: Mon Jan 20 17:00:36 2020 +0100
Added to `ObjectApprovers` a method to approve arbitrary action.
This is needed to use `ObjectApprovers` for authorizing scheduler API
calls.
Review: https://reviews.apache.org/r/72093
---
src/common/http.hpp | 36 +++++++++++++++++++++++++-----------
1 file changed, 25 insertions(+), 11 deletions(-)
diff --git a/src/common/http.hpp b/src/common/http.hpp
index 98000db..02633e1 100644
--- a/src/common/http.hpp
+++ b/src/common/http.hpp
@@ -370,21 +370,34 @@ public:
const Option<process::http::authentication::Principal>& principal,
std::initializer_list<authorization::Action> actions);
- template <authorization::Action action, typename... Args>
- bool approved(const Args&... args) const
+ Try<bool> approved(
+ authorization::Action action,
+ const ObjectApprover::Object& object) const
{
if (!approvers.contains(action)) {
LOG(WARNING)
<< "Attempted to authorize principal "
<< " '" << (principal.isSome() ? stringify(*principal) : "") << "'"
- << " for unexpected action " << stringify(action);
+ << " for unexpected action " << authorization::Action_Name(action);
+
return false;
}
- Try<bool> approved =
- approvers.at(action)->approved(ObjectApprover::Object(args...));
+ return approvers.at(action)->approved(object);
+ }
+
+ // Constructs one (or more) authorization objects, depending on the
+ // action, and returns true if all action-object pairs are authorized.
+ //
+ // NOTE: This template has specializations that actually check
+ // more than one action-object pair.
+ template <authorization::Action action, typename... Args>
+ bool approved(const Args&... args) const
+ {
+ const Try<bool> approval =
+ approved(action, ObjectApprover::Object(args...));
- if (approved.isError()) {
+ if (approval.isError()) {
// NOTE: Silently dropping errors here creates a potential for
// _transient_ authorization errors to make API events subscriber's view
// inconsistent (see MESOS-10085). Also, this creates potential for an
@@ -392,14 +405,15 @@ public:
// case of an authorization error (see MESOS-10099).
//
// TODO(joerg84): Expose these errors back to the caller.
- LOG(WARNING)
- << "Failed to authorize principal "
- << " '" << (principal.isSome() ? stringify(*principal) : "") << "'"
- << " for action " << stringify(action) << ": " << approved.error();
+ LOG(WARNING) << "Failed to authorize principal "
+ << " '" << (principal.isSome() ? stringify(*principal) : "")
+ << "' for action " << authorization::Action_Name(action)
+ << ": " << approval.error();
+
return false;
}
- return approved.get();
+ return approval.get();
}
const Option<process::http::authentication::Principal> principal;