You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by me...@apache.org on 2016/11/16 10:00:08 UTC
[2/3] mesos git commit: Updated calls to the authorizer to use whole
protobuf messages.
Updated calls to the authorizer to use whole protobuf messages.
Makes changes in the calls to the authorizer, so that it uses the
new protobuf message based authorization calls when available.
It still sets the traditional `Object.value` field for compatibility
with old authorizers.
Review: https://reviews.apache.org/r/53057/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/181c89d9
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/181c89d9
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/181c89d9
Branch: refs/heads/master
Commit: 181c89d9b32d576e35dbcd9e15292b551e2ad6df
Parents: bc0e6d7
Author: Alexander Rojas <al...@mesosphere.io>
Authored: Tue Nov 15 19:04:51 2016 -0800
Committer: Adam B <ad...@mesosphere.io>
Committed: Wed Nov 16 01:55:03 2016 -0800
----------------------------------------------------------------------
src/master/http.cpp | 4 +++-
src/master/master.cpp | 16 +++++++++++-----
src/master/master.hpp | 4 ++--
src/master/quota_handler.cpp | 11 ++++++-----
src/master/weights_handler.cpp | 11 ++++++-----
5 files changed, 28 insertions(+), 18 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/181c89d9/src/master/http.cpp
----------------------------------------------------------------------
diff --git a/src/master/http.cpp b/src/master/http.cpp
index 88a8df5..90cbed1 100644
--- a/src/master/http.cpp
+++ b/src/master/http.cpp
@@ -3485,13 +3485,15 @@ Future<Response> Master::Http::teardown(
}
authorization::Request teardown;
- teardown.set_action(authorization::TEARDOWN_FRAMEWORK_WITH_PRINCIPAL);
+ teardown.set_action(authorization::TEARDOWN_FRAMEWORK);
if (principal.isSome()) {
teardown.mutable_subject()->set_value(principal.get());
}
if (framework->info.has_principal()) {
+ teardown.mutable_object()->mutable_framework_info()->CopyFrom(
+ framework->info);
teardown.mutable_object()->set_value(framework->info.principal());
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/181c89d9/src/master/master.cpp
----------------------------------------------------------------------
diff --git a/src/master/master.cpp b/src/master/master.cpp
index f0b6297..4482d4c 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -2070,12 +2070,13 @@ Future<bool> Master::authorizeFramework(
<< "' to receive offers for role '" << frameworkInfo.role() << "'";
authorization::Request request;
- request.set_action(authorization::REGISTER_FRAMEWORK_WITH_ROLE);
+ request.set_action(authorization::REGISTER_FRAMEWORK);
if (frameworkInfo.has_principal()) {
request.mutable_subject()->set_value(frameworkInfo.principal());
}
+ request.mutable_object()->mutable_framework_info()->CopyFrom(frameworkInfo);
request.mutable_object()->set_value(frameworkInfo.role());
return authorizer.get()->authorized(request);
@@ -3188,7 +3189,7 @@ Future<bool> Master::authorizeReserveResources(
}
authorization::Request request;
- request.set_action(authorization::RESERVE_RESOURCES_WITH_ROLE);
+ request.set_action(authorization::RESERVE_RESOURCES);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
@@ -3203,6 +3204,7 @@ Future<bool> Master::authorizeReserveResources(
if (!roles.contains(resource.role())) {
roles.insert(resource.role());
+ request.mutable_object()->mutable_resource()->CopyFrom(resource);
request.mutable_object()->set_value(resource.role());
authorizations.push_back(authorizer.get()->authorized(request));
}
@@ -3244,7 +3246,7 @@ Future<bool> Master::authorizeUnreserveResources(
}
authorization::Request request;
- request.set_action(authorization::UNRESERVE_RESOURCES_WITH_PRINCIPAL);
+ request.set_action(authorization::UNRESERVE_RESOURCES);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
@@ -3258,6 +3260,8 @@ Future<bool> Master::authorizeUnreserveResources(
// during validation.
if (Resources::isDynamicallyReserved(resource) &&
resource.reservation().has_principal()) {
+ request.mutable_object()->mutable_resource()->CopyFrom(resource);
+
request.mutable_object()->set_value(
resource.reservation().principal());
@@ -3297,7 +3301,7 @@ Future<bool> Master::authorizeCreateVolume(
}
authorization::Request request;
- request.set_action(authorization::CREATE_VOLUME_WITH_ROLE);
+ request.set_action(authorization::CREATE_VOLUME);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
@@ -3312,6 +3316,7 @@ Future<bool> Master::authorizeCreateVolume(
if (!roles.contains(volume.role())) {
roles.insert(volume.role());
+ request.mutable_object()->mutable_resource()->CopyFrom(volume);
request.mutable_object()->set_value(volume.role());
authorizations.push_back(authorizer.get()->authorized(request));
}
@@ -3349,7 +3354,7 @@ Future<bool> Master::authorizeDestroyVolume(
}
authorization::Request request;
- request.set_action(authorization::DESTROY_VOLUME_WITH_PRINCIPAL);
+ request.set_action(authorization::DESTROY_VOLUME);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
@@ -3361,6 +3366,7 @@ Future<bool> Master::authorizeDestroyVolume(
// authorization, we must check here that this resource is a persistent
// volume. If it isn't, the error will be caught during validation.
if (Resources::isPersistentVolume(volume)) {
+ request.mutable_object()->mutable_resource()->CopyFrom(volume);
request.mutable_object()->set_value(
volume.disk().persistence().principal());
http://git-wip-us.apache.org/repos/asf/mesos/blob/181c89d9/src/master/master.hpp
----------------------------------------------------------------------
diff --git a/src/master/master.hpp b/src/master/master.hpp
index 87186c6..bc6aafc 100644
--- a/src/master/master.hpp
+++ b/src/master/master.hpp
@@ -1075,7 +1075,7 @@ private:
process::Future<bool> authorizeGetQuota(
const Option<std::string>& principal,
- const std::string& role) const;
+ const quota::QuotaInfo& role) const;
// TODO(mpark): The following functions `authorizeSetQuota` and
// `authorizeRemoveQuota` should be replaced with `authorizeUpdateQuota` at
@@ -1149,7 +1149,7 @@ private:
private:
process::Future<bool> authorizeGetWeight(
const Option<std::string>& principal,
- const std::string& role) const;
+ const WeightInfo& weight) const;
process::Future<bool> authorizeUpdateWeights(
const Option<std::string>& principal,
http://git-wip-us.apache.org/repos/asf/mesos/blob/181c89d9/src/master/quota_handler.cpp
----------------------------------------------------------------------
diff --git a/src/master/quota_handler.cpp b/src/master/quota_handler.cpp
index d87d6c6..9ceff38 100644
--- a/src/master/quota_handler.cpp
+++ b/src/master/quota_handler.cpp
@@ -257,7 +257,7 @@ Future<QuotaStatus> Master::QuotaHandler::_status(
// TODO(alexr): Use an authorization filter here once they are available.
list<Future<bool>> authorizedRoles;
foreach (const QuotaInfo& info, quotaInfos) {
- authorizedRoles.push_back(authorizeGetQuota(principal, info.role()));
+ authorizedRoles.push_back(authorizeGetQuota(principal, info));
}
return process::collect(authorizedRoles)
@@ -526,7 +526,7 @@ Future<http::Response> Master::QuotaHandler::__remove(const string& role) const
Future<bool> Master::QuotaHandler::authorizeGetQuota(
const Option<string>& principal,
- const string& role) const
+ const QuotaInfo& quota) const
{
if (master->authorizer.isNone()) {
return true;
@@ -534,16 +534,17 @@ Future<bool> Master::QuotaHandler::authorizeGetQuota(
LOG(INFO) << "Authorizing principal '"
<< (principal.isSome() ? principal.get() : "ANY")
- << "' to get quota for role '" << role << "'";
+ << "' to get quota for role '" << quota.role() << "'";
authorization::Request request;
- request.set_action(authorization::GET_QUOTA_WITH_ROLE);
+ request.set_action(authorization::GET_QUOTA);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
}
- request.mutable_object()->set_value(role);
+ request.mutable_object()->mutable_quota_info()->CopyFrom(quota);
+ request.mutable_object()->set_value(quota.role());
return master->authorizer.get()->authorized(request);
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/181c89d9/src/master/weights_handler.cpp
----------------------------------------------------------------------
diff --git a/src/master/weights_handler.cpp b/src/master/weights_handler.cpp
index c240fb2..da0b995 100644
--- a/src/master/weights_handler.cpp
+++ b/src/master/weights_handler.cpp
@@ -118,7 +118,7 @@ Future<vector<WeightInfo>> Master::WeightsHandler::_getWeights(
// TODO(alexr): Batch these actions once we have BatchRequest in authorizer.
list<Future<bool>> roleAuthorizations;
foreach (const WeightInfo& info, weightInfos) {
- roleAuthorizations.push_back(authorizeGetWeight(principal, info.role()));
+ roleAuthorizations.push_back(authorizeGetWeight(principal, info));
}
return process::collect(roleAuthorizations)
@@ -325,7 +325,7 @@ Future<bool> Master::WeightsHandler::authorizeUpdateWeights(
<< "' to update weights for roles '" << stringify(roles) << "'";
authorization::Request request;
- request.set_action(authorization::UPDATE_WEIGHT_WITH_ROLE);
+ request.set_action(authorization::UPDATE_WEIGHT);
if (principal.isSome()) {
request.mutable_subject()->set_value(principal.get());
@@ -357,7 +357,7 @@ Future<bool> Master::WeightsHandler::authorizeUpdateWeights(
Future<bool> Master::WeightsHandler::authorizeGetWeight(
const Option<string>& principal,
- const string& role) const
+ const WeightInfo& weight) const
{
if (master->authorizer.isNone()) {
return true;
@@ -365,7 +365,7 @@ Future<bool> Master::WeightsHandler::authorizeGetWeight(
LOG(INFO) << "Authorizing principal '"
<< (principal.isSome() ? principal.get() : "ANY")
- << "' to get weight for role '" << role << "'";
+ << "' to get weight for role '" << weight.role() << "'";
authorization::Request request;
request.set_action(authorization::VIEW_ROLE);
@@ -374,7 +374,8 @@ Future<bool> Master::WeightsHandler::authorizeGetWeight(
request.mutable_subject()->set_value(principal.get());
}
- request.mutable_object()->set_value(role);
+ request.mutable_object()->mutable_weight_info()->CopyFrom(weight);
+ request.mutable_object()->set_value(weight.role());
return master->authorizer.get()->authorized(request);
}