You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2017/12/09 02:54:49 UTC
[2/7] mesos git commit: Added `MODIFY_RESOURCE_PROVIDER_CONFIG`
authorization.
Added `MODIFY_RESOURCE_PROVIDER_CONFIG` authorization.
The new authorization is for authorizing `ADD_RESOURCE_PROVIDER_CONFIG`,
`UPDATE_RESOURCE_PROVIDER_CONFIG`, and `REMOVE_RESOURCE_PROVIDER_CONFIG`
agent API calls.
Review: https://reviews.apache.org/r/64440/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/8de5b27d
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/8de5b27d
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/8de5b27d
Branch: refs/heads/master
Commit: 8de5b27df8cfaac374b5d1602fe07fcb62c7ce95
Parents: 1088a54
Author: Chun-Hung Hsiao <ch...@mesosphere.io>
Authored: Fri Dec 8 18:12:26 2017 -0800
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Dec 8 18:54:43 2017 -0800
----------------------------------------------------------------------
include/mesos/authorizer/acls.proto | 15 +++++++++++++++
include/mesos/authorizer/authorizer.proto | 5 +++++
src/authorizer/local/authorizer.cpp | 15 +++++++++++++++
3 files changed, 35 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/8de5b27d/include/mesos/authorizer/acls.proto
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/acls.proto b/include/mesos/authorizer/acls.proto
index 6f36470..aca9aa8 100644
--- a/include/mesos/authorizer/acls.proto
+++ b/include/mesos/authorizer/acls.proto
@@ -467,6 +467,20 @@ message ACL {
// SOME particular operating system users (e.g., linux users).
required Entity users = 2;
}
+
+ // Which principals are authorized to add, update and remove resource
+ // provider config files.
+ message ModifyResourceProviderConfig {
+ // Subjects: HTTP Username.
+ required Entity principals = 1;
+
+ // Objects: Given implicitly.
+ // Use Entity type ANY or NONE to allow or deny access.
+ //
+ // TODO(chhsiao): Consider allowing granular permission to act upon
+ // SOME particular operating system users (e.g., linux users).
+ required Entity users = 2;
+ }
}
@@ -542,4 +556,5 @@ message ACLs {
repeated ACL.KillStandaloneContainer kill_standalone_container = 42;
repeated ACL.WaitStandaloneContainer wait_standalone_container = 43;
repeated ACL.RemoveStandaloneContainer remove_standalone_container = 44;
+ repeated ACL.ModifyResourceProviderConfig modify_resource_provider_config = 45;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/8de5b27d/include/mesos/authorizer/authorizer.proto
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto
index d84295f..7db5fb3 100644
--- a/include/mesos/authorizer/authorizer.proto
+++ b/include/mesos/authorizer/authorizer.proto
@@ -241,6 +241,11 @@ enum Action {
//
// TODO(josephw): This should set the operating system user in the object.
REMOVE_STANDALONE_CONTAINER = 38;
+
+ // This action will not fill in any object fields. A principal is either
+ // allowed to add, update and remove resource provider config files or is
+ // unauthorized.
+ MODIFY_RESOURCE_PROVIDER_CONFIG = 39;
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/8de5b27d/src/authorizer/local/authorizer.cpp
----------------------------------------------------------------------
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index e07f57e..809c2e4 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -410,6 +410,7 @@ public:
case authorization::START_MAINTENANCE:
case authorization::STOP_MAINTENANCE:
case authorization::UPDATE_MAINTENANCE_SCHEDULE:
+ case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
aclObject.set_type(ACL::Entity::ANY);
break;
@@ -715,6 +716,7 @@ public:
case authorization::VIEW_TASK:
case authorization::WAIT_NESTED_CONTAINER:
case authorization::WAIT_STANDALONE_CONTAINER:
+ case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
case authorization::UNKNOWN:
UNREACHABLE();
}
@@ -931,6 +933,7 @@ public:
case authorization::VIEW_TASK:
case authorization::WAIT_NESTED_CONTAINER:
case authorization::WAIT_STANDALONE_CONTAINER:
+ case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
UNREACHABLE();
}
@@ -1141,6 +1144,7 @@ public:
case authorization::VIEW_TASK:
case authorization::WAIT_NESTED_CONTAINER:
case authorization::WAIT_STANDALONE_CONTAINER:
+ case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
case authorization::UNKNOWN: {
Result<vector<GenericACL>> genericACLs =
createGenericACLs(action, acls);
@@ -1474,6 +1478,17 @@ private:
}
return acls_;
+ case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG:
+ foreach (const ACL::ModifyResourceProviderConfig& acl,
+ acls.modify_resource_provider_config()) {
+ GenericACL acl_;
+ acl_.subjects = acl.principals();
+ acl_.objects = acl.users();
+
+ acls_.push_back(acl_);
+ }
+
+ return acls_;
case authorization::REGISTER_FRAMEWORK:
case authorization::CREATE_VOLUME:
case authorization::RESERVE_RESOURCES: