You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2017/12/09 02:54:49 UTC

[2/7] mesos git commit: Added `MODIFY_RESOURCE_PROVIDER_CONFIG` authorization.

Added `MODIFY_RESOURCE_PROVIDER_CONFIG` authorization.

The new authorization is for authorizing `ADD_RESOURCE_PROVIDER_CONFIG`,
`UPDATE_RESOURCE_PROVIDER_CONFIG`, and `REMOVE_RESOURCE_PROVIDER_CONFIG`
agent API calls.

Review: https://reviews.apache.org/r/64440/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/8de5b27d
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/8de5b27d
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/8de5b27d

Branch: refs/heads/master
Commit: 8de5b27df8cfaac374b5d1602fe07fcb62c7ce95
Parents: 1088a54
Author: Chun-Hung Hsiao <ch...@mesosphere.io>
Authored: Fri Dec 8 18:12:26 2017 -0800
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Dec 8 18:54:43 2017 -0800

----------------------------------------------------------------------
 include/mesos/authorizer/acls.proto       | 15 +++++++++++++++
 include/mesos/authorizer/authorizer.proto |  5 +++++
 src/authorizer/local/authorizer.cpp       | 15 +++++++++++++++
 3 files changed, 35 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/8de5b27d/include/mesos/authorizer/acls.proto
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/acls.proto b/include/mesos/authorizer/acls.proto
index 6f36470..aca9aa8 100644
--- a/include/mesos/authorizer/acls.proto
+++ b/include/mesos/authorizer/acls.proto
@@ -467,6 +467,20 @@ message ACL {
     // SOME particular operating system users (e.g., linux users).
     required Entity users = 2;
   }
+
+  // Which principals are authorized to add, update and remove resource
+  // provider config files.
+  message ModifyResourceProviderConfig {
+    // Subjects: HTTP Username.
+    required Entity principals = 1;
+
+    // Objects: Given implicitly.
+    // Use Entity type ANY or NONE to allow or deny access.
+    //
+    // TODO(chhsiao): Consider allowing granular permission to act upon
+    // SOME particular operating system users (e.g., linux users).
+    required Entity users = 2;
+  }
 }
 
 
@@ -542,4 +556,5 @@ message ACLs {
   repeated ACL.KillStandaloneContainer kill_standalone_container = 42;
   repeated ACL.WaitStandaloneContainer wait_standalone_container = 43;
   repeated ACL.RemoveStandaloneContainer remove_standalone_container = 44;
+  repeated ACL.ModifyResourceProviderConfig modify_resource_provider_config = 45;
 }

http://git-wip-us.apache.org/repos/asf/mesos/blob/8de5b27d/include/mesos/authorizer/authorizer.proto
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto
index d84295f..7db5fb3 100644
--- a/include/mesos/authorizer/authorizer.proto
+++ b/include/mesos/authorizer/authorizer.proto
@@ -241,6 +241,11 @@ enum Action {
   //
   // TODO(josephw): This should set the operating system user in the object.
   REMOVE_STANDALONE_CONTAINER = 38;
+
+  // This action will not fill in any object fields. A principal is either
+  // allowed to add, update and remove resource provider config files or is
+  // unauthorized.
+  MODIFY_RESOURCE_PROVIDER_CONFIG = 39;
 }
 
 

http://git-wip-us.apache.org/repos/asf/mesos/blob/8de5b27d/src/authorizer/local/authorizer.cpp
----------------------------------------------------------------------
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index e07f57e..809c2e4 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -410,6 +410,7 @@ public:
         case authorization::START_MAINTENANCE:
         case authorization::STOP_MAINTENANCE:
         case authorization::UPDATE_MAINTENANCE_SCHEDULE:
+        case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
           aclObject.set_type(ACL::Entity::ANY);
 
           break;
@@ -715,6 +716,7 @@ public:
         case authorization::VIEW_TASK:
         case authorization::WAIT_NESTED_CONTAINER:
         case authorization::WAIT_STANDALONE_CONTAINER:
+        case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
         case authorization::UNKNOWN:
           UNREACHABLE();
       }
@@ -931,6 +933,7 @@ public:
       case authorization::VIEW_TASK:
       case authorization::WAIT_NESTED_CONTAINER:
       case authorization::WAIT_STANDALONE_CONTAINER:
+      case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
         UNREACHABLE();
     }
 
@@ -1141,6 +1144,7 @@ public:
       case authorization::VIEW_TASK:
       case authorization::WAIT_NESTED_CONTAINER:
       case authorization::WAIT_STANDALONE_CONTAINER:
+      case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
       case authorization::UNKNOWN: {
         Result<vector<GenericACL>> genericACLs =
           createGenericACLs(action, acls);
@@ -1474,6 +1478,17 @@ private:
         }
 
         return acls_;
+      case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
+        foreach (const ACL::ModifyResourceProviderConfig& acl,
+            acls.modify_resource_provider_config()) {
+          GenericACL acl_;
+          acl_.subjects = acl.principals();
+          acl_.objects = acl.users();
+
+          acls_.push_back(acl_);
+        }
+
+        return acls_;
       case authorization::REGISTER_FRAMEWORK:
       case authorization::CREATE_VOLUME:
       case authorization::RESERVE_RESOURCES: