You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by mz...@apache.org on 2019/07/23 22:34:58 UTC
[mesos] branch master updated: Removed `quota_info` in the
`GET_QUOTA` authorization object.
This is an automated email from the ASF dual-hosted git repository.
mzhu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
The following commit(s) were added to refs/heads/master by this push:
new 756e212 Removed `quota_info` in the `GET_QUOTA` authorization object.
756e212 is described below
commit 756e212ee91f9b65fb5f90d627b41c9b8c22a319
Author: Meng Zhu <mz...@mesosphere.io>
AuthorDate: Mon Jul 22 14:36:47 2019 -0700
Removed `quota_info` in the `GET_QUOTA` authorization object.
Currently, the `GET_QUOTA` authorizable action set both `value`
and `quota_info` fields. The `value` field is set due to
backward compatibility for the `GET_QUOTA_WITH_ROLE` action.
This patch makes the `GET_QUOTA` action only set the `value`
field with the role name. Since the `quota.QuotaInfo` field
is being deprecated, it is no longer set (the local authorizer
only looks at the `value` field, it is also probably the case
for any external authorizer modules).
Also refactored `QuotaHandler::status`.
Review: https://reviews.apache.org/r/71139
---
include/mesos/authorizer/authorizer.proto | 7 +--
src/authorizer/local/authorizer.cpp | 4 +-
src/master/master.hpp | 2 +-
src/master/quota_handler.cpp | 73 ++++++++++++-------------------
4 files changed, 34 insertions(+), 52 deletions(-)
diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto
index d09c234..7ca280a 100644
--- a/include/mesos/authorizer/authorizer.proto
+++ b/include/mesos/authorizer/authorizer.proto
@@ -128,10 +128,11 @@ enum Action {
UPDATE_WEIGHT = 10;
UPDATE_WEIGHT_WITH_ROLE = 10;
- // `GET_QUOTA` will have an object with `QuotaInfo` set.
+ // Prioir to Mesos 1.9, `GET_QUOTA` has an object with both `QuotaInfo`
+ // and `value` set. Since Mesos 1.9, the object will only have `value` set.
+ //
// The `_WITH_ROLE` alias is deprecated and will be removed after
- // Mesos 1.2's deprecation cycle ends. The `value` field will continue
- // to be set until that time.
+ // Mesos 1.2's deprecation cycle ends.
GET_QUOTA = 11;
GET_QUOTA_WITH_ROLE = 11;
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index 85821c6..16c0ffa 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -654,9 +654,7 @@ public:
}
case authorization::GET_QUOTA: {
entityObject.set_type(mesos::ACL::Entity::SOME);
- if (object->quota_info) {
- entityObject.add_values(object->quota_info->role());
- } else if (object->value) {
+ if (object->value) {
entityObject.add_values(*(object->value));
} else {
entityObject.set_type(mesos::ACL::Entity::ANY);
diff --git a/src/master/master.hpp b/src/master/master.hpp
index cacdcfd..8bdbac9 100644
--- a/src/master/master.hpp
+++ b/src/master/master.hpp
@@ -1312,7 +1312,7 @@ private:
process::Future<bool> authorizeGetQuota(
const Option<process::http::authentication::Principal>& principal,
- const mesos::quota::QuotaInfo& quotaInfo) const;
+ const std::string& role) const;
// This auth function is used for legacy `SET_QUOTA` and `REMOVE_QUOTA`
// calls. Remove this function after the associated API calls are
diff --git a/src/master/quota_handler.cpp b/src/master/quota_handler.cpp
index 1748fb9..15b02b0 100644
--- a/src/master/quota_handler.cpp
+++ b/src/master/quota_handler.cpp
@@ -364,42 +364,15 @@ Future<QuotaStatus> Master::QuotaHandler::_status(
{
// Quotas can be updated during preparation of the response.
// Copy current view of the collection to avoid conflicts.
- vector<QuotaInfo> quotaInfos;
- quotaInfos.reserve(master->quotas.size());
-
- foreachpair (const string& role, const Quota& quota, master->quotas) {
- quotaInfos.push_back([&role, "a]() {
- // Construct the legacy `QuotaInfo`.
- //
- // This is needed for backwards compatibility reasons.
- // Authorizable action `GET_QUOTA` expects an object
- // with `QuotaInfo` set.
- //
- // TODO(mzhu): we plan to deprecate the use of `QuotaInfo`
- // in the `GET_QUOTA` action. And instead, just set the value
- // field in the object using the role. This legacy construction
- // will be removed.
- QuotaInfo info;
- info.set_role(role);
- foreach (auto& quantity, quota.guarantees) {
- Resource resource;
- resource.set_type(Value::SCALAR);
- *resource.mutable_name() = quantity.first;
- *resource.mutable_scalar() = quantity.second;
-
- *info.add_guarantee() = std::move(resource);
- }
- return info;
- }());
- }
+ hashmap<std::string, Quota> quotas(master->quotas);
// Create a list of authorization actions for each role we may return.
//
// TODO(alexr): Use an authorization filter here once they are available.
vector<Future<bool>> authorizedRoles;
- authorizedRoles.reserve(quotaInfos.size());
- foreach (const QuotaInfo& info, quotaInfos) {
- authorizedRoles.push_back(authorizeGetQuota(principal, info));
+ authorizedRoles.reserve(quotas.size());
+ foreachkey (const string& role, quotas) {
+ authorizedRoles.push_back(authorizeGetQuota(principal, role));
}
return process::collect(authorizedRoles)
@@ -407,22 +380,36 @@ Future<QuotaStatus> Master::QuotaHandler::_status(
master->self(),
[=](const vector<bool>& authorizedRolesCollected)
-> Future<QuotaStatus> {
- CHECK(quotaInfos.size() == authorizedRolesCollected.size());
+ CHECK(quotas.size() == authorizedRolesCollected.size());
QuotaStatus status;
- status.mutable_infos()->Reserve(static_cast<int>(quotaInfos.size()));
+ status.mutable_infos()->Reserve(static_cast<int>(quotas.size()));
// Create an entry (including role and resources) for each quota,
// except those filtered out based on the authorizer's response.
//
// NOTE: This error-prone code will be removed with
// the introduction of authorization filters.
- auto quotaInfoIt = quotaInfos.begin();
- foreach (const bool& authorized, authorizedRolesCollected) {
- if (authorized) {
- status.add_infos()->CopyFrom(*quotaInfoIt);
+ auto authorizedIt = authorizedRolesCollected.cbegin();
+ auto quotaIt = quotas.cbegin();
+ for (; authorizedIt != authorizedRolesCollected.cend();
+ ++authorizedIt, ++quotaIt) {
+ if (*authorizedIt) {
+ // Fill in legacy `QuotaInfo`.
+ *status.add_infos() = ["aIt]() {
+ QuotaInfo info;
+ info.set_role(quotaIt->first);
+ foreach (auto& quantity, quotaIt->second.guarantees) {
+ Resource resource;
+ resource.set_type(Value::SCALAR);
+ *resource.mutable_name() = quantity.first;
+ *resource.mutable_scalar() = quantity.second;
+
+ *info.add_guarantee() = std::move(resource);
+ }
+ return info;
+ }();
}
- ++quotaInfoIt;
}
return status;
@@ -1074,8 +1061,7 @@ Future<http::Response> Master::QuotaHandler::__remove(const string& role) const
Future<bool> Master::QuotaHandler::authorizeGetQuota(
- const Option<Principal>& principal,
- const QuotaInfo& quotaInfo) const
+ const Option<Principal>& principal, const string& role) const
{
if (master->authorizer.isNone()) {
return true;
@@ -1083,7 +1069,7 @@ Future<bool> Master::QuotaHandler::authorizeGetQuota(
LOG(INFO) << "Authorizing principal '"
<< (principal.isSome() ? stringify(principal.get()) : "ANY")
- << "' to get quota for role '" << quotaInfo.role() << "'";
+ << "' to get quota for role '" << role << "'";
authorization::Request request;
request.set_action(authorization::GET_QUOTA);
@@ -1093,10 +1079,7 @@ Future<bool> Master::QuotaHandler::authorizeGetQuota(
request.mutable_subject()->CopyFrom(subject.get());
}
- // TODO(alexr): The `value` field is set for backwards compatibility
- // reasons until after the deprecation cycle started with 1.2.0 ends.
- request.mutable_object()->mutable_quota_info()->CopyFrom(quotaInfo);
- request.mutable_object()->set_value(quotaInfo.role());
+ request.mutable_object()->set_value(role);
return master->authorizer.get()->authorized(request);
}