You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ti...@apache.org on 2018/12/17 14:53:20 UTC
[mesos] branch ci/till/69405 created (now c8639b2)
This is an automated email from the ASF dual-hosted git repository.
tillt pushed a change to branch ci/till/69405
in repository https://gitbox.apache.org/repos/asf/mesos.git.
at c8639b2 Refactored createAuthorizationCallbacks into common/authorization.
This branch includes the following new commits:
new c8639b2 Refactored createAuthorizationCallbacks into common/authorization.
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[mesos] 01/01: Refactored createAuthorizationCallbacks into
common/authorization.
Posted by ti...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
tillt pushed a commit to branch ci/till/69405
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit c8639b243293261c99992fe1cf4835138d9aed05
Author: Till Toenshoff <to...@me.com>
AuthorDate: Mon Dec 17 15:27:09 2018 +0100
Refactored createAuthorizationCallbacks into common/authorization.
Moves 'createAuthorizationCallbacks' out of common/http into
common/authorization.
Review: https://reviews.apache.org/r/69405/
---
src/authorizer/local/authorizer.cpp | 3 +-
src/common/authorization.cpp | 59 +++++++++++++++++++++++++++++++++++++
src/common/authorization.hpp | 6 ++++
src/common/http.cpp | 54 +--------------------------------
src/common/http.hpp | 5 ----
src/master/main.cpp | 3 +-
src/slave/main.cpp | 3 +-
src/tests/cluster.cpp | 5 ++--
src/tests/logging_tests.cpp | 3 +-
9 files changed, 77 insertions(+), 64 deletions(-)
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index 83944b9..85e18b9 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -38,6 +38,7 @@
#include <stout/try.hpp>
#include <stout/unreachable.hpp>
+#include "common/authorization.hpp"
#include "common/http.hpp"
#include "common/parse.hpp"
#include "common/protobuf_utils.hpp"
@@ -1677,7 +1678,7 @@ Option<Error> LocalAuthorizer::validate(const ACLs& acls)
foreach (const ACL::GetEndpoint& acl, acls.get_endpoints()) {
if (acl.paths().type() == ACL::Entity::SOME) {
foreach (const string& path, acl.paths().values()) {
- if (!AUTHORIZABLE_ENDPOINTS.contains(path)) {
+ if (!authorization::AUTHORIZABLE_ENDPOINTS.contains(path)) {
return Error("Path: '" + path + "' is not an authorizable path");
}
}
diff --git a/src/common/authorization.cpp b/src/common/authorization.cpp
index fa0c0e8..8948721 100644
--- a/src/common/authorization.cpp
+++ b/src/common/authorization.cpp
@@ -17,25 +17,41 @@
#include "common/authorization.hpp"
#include <algorithm>
+#include <functional>
#include <string>
+#include <utility>
#include <mesos/mesos.hpp>
#include <process/collect.hpp>
#include <stout/foreach.hpp>
+#include <stout/hashmap.hpp>
#include <stout/none.hpp>
+#include <stout/stringify.hpp>
using std::string;
using std::vector;
+using process::Failure;
using process::Future;
+using process::http::authorization::AuthorizationCallbacks;
using process::http::authentication::Principal;
namespace mesos {
namespace authorization {
+// Set of endpoint whose access is protected with the authorization
+// action `GET_ENDPOINTS_WITH_PATH`.
+hashset<string> AUTHORIZABLE_ENDPOINTS{
+ "/containers",
+ "/files/debug",
+ "/logging/toggle",
+ "/metrics/snapshot",
+ "/monitor/statistics"};
+
+
Future<bool> collectAuthorizations(const vector<Future<bool>>& authorizations)
{
return process::collect(authorizations)
@@ -86,5 +102,48 @@ Future<bool> authorizeLogAccess(
return authorizer.get()->authorized(request);
}
+
+const AuthorizationCallbacks createAuthorizationCallbacks(
+ Authorizer* authorizer)
+{
+ typedef lambda::function<Future<bool>(
+ const process::http::Request& httpRequest,
+ const Option<Principal>& principal)> Callback;
+
+ AuthorizationCallbacks callbacks;
+
+ Callback getEndpoint = [authorizer](
+ const process::http::Request& httpRequest,
+ const Option<Principal>& principal) -> Future<bool> {
+ const string path = httpRequest.url.path;
+
+ if (!AUTHORIZABLE_ENDPOINTS.contains(path)) {
+ return Failure(
+ "Endpoint '" + path + "' is not an authorizable endpoint");
+ }
+
+ Request authorizationRequest;
+ authorizationRequest.set_action(GET_ENDPOINT_WITH_PATH);
+
+ Option<Subject> subject = createSubject(principal);
+ if (subject.isSome()) {
+ authorizationRequest.mutable_subject()->CopyFrom(subject.get());
+ }
+
+ authorizationRequest.mutable_object()->set_value(path);
+
+ LOG(INFO) << "Authorizing principal '"
+ << (principal.isSome() ? stringify(principal.get()) : "ANY")
+ << "' to GET the endpoint '" << path << "'";
+
+ return authorizer->authorized(authorizationRequest);
+ };
+
+ callbacks.insert(std::make_pair("/logging/toggle", getEndpoint));
+ callbacks.insert(std::make_pair("/metrics/snapshot", getEndpoint));
+
+ return callbacks;
+}
+
} // namespace authorization {
} // namespace mesos {
diff --git a/src/common/authorization.hpp b/src/common/authorization.hpp
index fb73f30..565d5ca 100644
--- a/src/common/authorization.hpp
+++ b/src/common/authorization.hpp
@@ -26,11 +26,14 @@
#include <process/future.hpp>
#include <process/http.hpp>
+#include <stout/hashset.hpp>
#include <stout/option.hpp>
namespace mesos {
namespace authorization {
+extern hashset<std::string> AUTHORIZABLE_ENDPOINTS;
+
// Collects authorization results. Any discarded or failed future
// results in a failure; any false future results in 'false'.
process::Future<bool> collectAuthorizations(
@@ -47,6 +50,9 @@ process::Future<bool> authorizeLogAccess(
const Option<Authorizer*>& authorizer,
const Option<process::http::authentication::Principal>& principal);
+const process::http::authorization::AuthorizationCallbacks
+ createAuthorizationCallbacks(Authorizer* authorizer);
+
} // namespace authorization {
} // namespace mesos {
diff --git a/src/common/http.cpp b/src/common/http.cpp
index 2be94b2..dcf3cb0 100644
--- a/src/common/http.cpp
+++ b/src/common/http.cpp
@@ -96,16 +96,6 @@ ostream& operator<<(ostream& stream, ContentType contentType)
namespace internal {
-// Set of endpoint whose access is protected with the authorization
-// action `GET_ENDPOINTS_WITH_PATH`.
-hashset<string> AUTHORIZABLE_ENDPOINTS{
- "/containers",
- "/files/debug",
- "/logging/toggle",
- "/metrics/snapshot",
- "/monitor/statistics"};
-
-
string serialize(
ContentType contentType,
const google::protobuf::Message& message)
@@ -877,48 +867,6 @@ static void json(JSON::StringWriter* writer, const Value::Text& text)
writer->set(text.value());
}
-const AuthorizationCallbacks createAuthorizationCallbacks(
- Authorizer* authorizer)
-{
- typedef lambda::function<process::Future<bool>(
- const process::http::Request& httpRequest,
- const Option<Principal>& principal)> Callback;
-
- AuthorizationCallbacks callbacks;
-
- Callback getEndpoint = [authorizer](
- const process::http::Request& httpRequest,
- const Option<Principal>& principal) -> process::Future<bool> {
- const string path = httpRequest.url.path;
-
- if (!internal::AUTHORIZABLE_ENDPOINTS.contains(path)) {
- return Failure(
- "Endpoint '" + path + "' is not an authorizable endpoint.");
- }
-
- authorization::Request authRequest;
- authRequest.set_action(mesos::authorization::GET_ENDPOINT_WITH_PATH);
-
- Option<authorization::Subject> subject =
- authorization::createSubject(principal);
- if (subject.isSome()) {
- authRequest.mutable_subject()->CopyFrom(subject.get());
- }
-
- authRequest.mutable_object()->set_value(path);
-
- LOG(INFO) << "Authorizing principal '"
- << (principal.isSome() ? stringify(principal.get()) : "ANY")
- << "' to GET the endpoint '" << path << "'";
-
- return authorizer->authorized(authRequest);
- };
-
- callbacks.insert(std::make_pair("/logging/toggle", getEndpoint));
- callbacks.insert(std::make_pair("/metrics/snapshot", getEndpoint));
-
- return callbacks;
-}
Future<Owned<ObjectApprovers>> ObjectApprovers::create(
const Option<Authorizer*>& authorizer,
@@ -978,7 +926,7 @@ process::Future<bool> authorizeEndpoint(
return Failure("Unexpected request method '" + method + "'");
}
- if (!internal::AUTHORIZABLE_ENDPOINTS.contains(endpoint)) {
+ if (!authorization::AUTHORIZABLE_ENDPOINTS.contains(endpoint)) {
return Failure(
"Endpoint '" + endpoint + "' is not an authorizable endpoint.");
}
diff --git a/src/common/http.hpp b/src/common/http.hpp
index a11ce3c..a0f9b67 100644
--- a/src/common/http.hpp
+++ b/src/common/http.hpp
@@ -81,8 +81,6 @@ constexpr char DEFAULT_BASIC_HTTP_AUTHENTICATEE[] = "basic";
// Name of the default, JWT authenticator.
constexpr char DEFAULT_JWT_HTTP_AUTHENTICATOR[] = "jwt";
-extern hashset<std::string> AUTHORIZABLE_ENDPOINTS;
-
// Contains the media types corresponding to some of the "Content-*",
// "Accept-*" and "Message-*" prefixed request headers in our internal
@@ -218,9 +216,6 @@ void json(
void json(JSON::ObjectWriter* writer, const Task& task);
void json(JSON::ObjectWriter* writer, const TaskStatus& status);
-const process::http::authorization::AuthorizationCallbacks
- createAuthorizationCallbacks(Authorizer* authorizer);
-
// Implementation of the `ObjectApprover` interface authorizing all objects.
class AcceptingObjectApprover : public ObjectApprover
diff --git a/src/master/main.cpp b/src/master/main.cpp
index 2c7b1bb..eeda534 100644
--- a/src/master/main.cpp
+++ b/src/master/main.cpp
@@ -59,6 +59,7 @@
#include <stout/try.hpp>
#include <stout/version.hpp>
+#include "common/authorization.hpp"
#include "common/build.hpp"
#include "common/http.hpp"
#include "common/protobuf_utils.hpp"
@@ -480,7 +481,7 @@ int main(int argc, char** argv)
// future it becomes possible to dynamically set the authorizer, this would
// break.
process::http::authorization::setCallbacks(
- createAuthorizationCallbacks(authorizer_.get()));
+ mesos::authorization::createAuthorizationCallbacks(authorizer_.get()));
}
Files files(READONLY_HTTP_AUTHENTICATION_REALM, authorizer_);
diff --git a/src/slave/main.cpp b/src/slave/main.cpp
index e774092..d1ce454 100644
--- a/src/slave/main.cpp
+++ b/src/slave/main.cpp
@@ -56,6 +56,7 @@
#include "authentication/executor/jwt_secret_generator.hpp"
#endif // USE_SSL_SOCKET
+#include "common/authorization.hpp"
#include "common/build.hpp"
#include "common/http.hpp"
@@ -527,7 +528,7 @@ int main(int argc, char** argv)
// future it becomes possible to dynamically set the authorizer, this would
// break.
process::http::authorization::setCallbacks(
- createAuthorizationCallbacks(authorizer_.get()));
+ mesos::authorization::createAuthorizationCallbacks(authorizer_.get()));
}
Files* files = new Files(READONLY_HTTP_AUTHENTICATION_REALM, authorizer_);
diff --git a/src/tests/cluster.cpp b/src/tests/cluster.cpp
index 2b351ca..4ad7c0b 100644
--- a/src/tests/cluster.cpp
+++ b/src/tests/cluster.cpp
@@ -70,6 +70,7 @@
#include "authorizer/local/authorizer.hpp"
+#include "common/authorization.hpp"
#include "common/http.hpp"
#include "files/files.hpp"
@@ -395,7 +396,7 @@ MasterInfo Master::getMasterInfo()
void Master::setAuthorizationCallbacks(Authorizer* authorizer)
{
process::http::authorization::setCallbacks(
- mesos::createAuthorizationCallbacks(authorizer));
+ authorization::createAuthorizationCallbacks(authorizer));
authorizationCallbacksSet = true;
}
@@ -703,7 +704,7 @@ Slave::~Slave()
void Slave::setAuthorizationCallbacks(Authorizer* authorizer)
{
process::http::authorization::setCallbacks(
- mesos::createAuthorizationCallbacks(authorizer));
+ authorization::createAuthorizationCallbacks(authorizer));
authorizationCallbacksSet = true;
}
diff --git a/src/tests/logging_tests.cpp b/src/tests/logging_tests.cpp
index 30bcdc7..e841ada 100644
--- a/src/tests/logging_tests.cpp
+++ b/src/tests/logging_tests.cpp
@@ -26,6 +26,7 @@
#include <process/pid.hpp>
#include <process/process.hpp>
+#include "common/authorization.hpp"
#include "common/http.hpp"
#include "logging/logging.hpp"
@@ -183,7 +184,7 @@ TEST_F(LoggingTest, ToggleAuthorizationEnabled)
// Set authorization callbacks for libprocess-level HTTP endpoints.
process::http::authorization::setCallbacks(
- createAuthorizationCallbacks(authorizer.get()));
+ authorization::createAuthorizationCallbacks(authorizer.get()));
process::PID<> pid;
pid.id = "logging";