You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2015/12/03 00:17:07 UTC
[3/5] mesos git commit: Added
'Master::authorize(Un)reserveResources()' for Reserve/Unreserve.
Added 'Master::authorize(Un)reserveResources()' for Reserve/Unreserve.
Note: this review is continued from https://reviews.apache.org/r/37125/
Review: https://reviews.apache.org/r/39987
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/1ceb5732
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/1ceb5732
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/1ceb5732
Branch: refs/heads/master
Commit: 1ceb573226254b61ab6a7af35396e55e5a9cc8f6
Parents: a5af5f3
Author: Greg Mann <gr...@mesosphere.io>
Authored: Wed Dec 2 12:10:24 2015 -0800
Committer: Jie Yu <yu...@gmail.com>
Committed: Wed Dec 2 15:06:52 2015 -0800
----------------------------------------------------------------------
src/master/master.cpp | 64 ++++++++++++++++++++++++++++++++++++++++++++++
src/master/master.hpp | 42 ++++++++++++++++++++++++++++++
2 files changed, 106 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/1ceb5732/src/master/master.cpp
----------------------------------------------------------------------
diff --git a/src/master/master.cpp b/src/master/master.cpp
index 2d6e14e..5f912f8 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -2756,6 +2756,70 @@ Future<bool> Master::authorizeTask(
}
+Future<bool> Master::authorizeReserveResources(
+ const Offer::Operation::Reserve& reserve,
+ const Option<string>& principal)
+{
+ if (authorizer.isNone()) {
+ return true; // Authorization is disabled.
+ }
+
+ mesos::ACL::ReserveResources request;
+
+ if (principal.isSome()) {
+ request.mutable_principals()->add_values(principal.get());
+ } else {
+ request.mutable_principals()->set_type(ACL::Entity::ANY);
+ }
+
+ // TODO(mpark): Determine what kinds of constraints we may want to
+ // enforce on resources. Currently, we simply use ANY.
+ request.mutable_resources()->set_type(ACL::Entity::ANY);
+
+ LOG(INFO) << "Authorizing principal '"
+ << (principal.isSome() ? principal.get() : "ANY")
+ << "' to reserve resources '" << reserve.resources() << "'";
+
+ return authorizer.get()->authorize(request);
+}
+
+
+Future<bool> Master::authorizeUnreserveResources(
+ const Offer::Operation::Unreserve& unreserve,
+ const Option<string>& principal)
+{
+ if (authorizer.isNone()) {
+ return true; // Authorization is disabled.
+ }
+
+ mesos::ACL::UnreserveResources request;
+
+ if (principal.isSome()) {
+ request.mutable_principals()->add_values(principal.get());
+ } else {
+ request.mutable_principals()->set_type(ACL::Entity::ANY);
+ }
+
+ foreach (const Resource& resource, unreserve.resources()) {
+ // NOTE: Since validation of this operation is performed after
+ // authorization, we must check here that this resource is
+ // dynamically reserved. If it isn't, the error will be caught
+ // during validation.
+ if (Resources::isDynamicallyReserved(resource)) {
+ request.mutable_reserver_principals()->add_values(
+ resource.reservation().principal());
+ }
+ }
+
+ LOG(INFO)
+ << "Authorizing principal '"
+ << (principal.isSome() ? principal.get() : "ANY")
+ << "' to unreserve resources '" << unreserve.resources() << "'";
+
+ return authorizer.get()->authorize(request);
+}
+
+
Resources Master::addTask(
const TaskInfo& task,
Framework* framework,
http://git-wip-us.apache.org/repos/asf/mesos/blob/1ceb5732/src/master/master.hpp
----------------------------------------------------------------------
diff --git a/src/master/master.hpp b/src/master/master.hpp
index d827294..4683fa5 100644
--- a/src/master/master.hpp
+++ b/src/master/master.hpp
@@ -683,6 +683,48 @@ protected:
const TaskInfo& task,
Framework* framework);
+ /**
+ * Authorizes a `RESERVE` offer operation.
+ *
+ * Returns whether the Reserve operation is authorized with the
+ * provided principal. This function is used for authorization of
+ * operations originating from both frameworks and operators. Note
+ * that operations may be validated AFTER authorization, so it's
+ * possible that `reserve` could be malformed.
+ *
+ * @param reserve The `RESERVE` operation to be performed.
+ * @param principal An `Option` containing the principal attempting
+ * this operation.
+ *
+ * @return A `Future` containing a boolean value representing the
+ * success or failure of this authorization. A failed `Future`
+ * implies that validation of the operation did not succeed.
+ */
+ process::Future<bool> authorizeReserveResources(
+ const Offer::Operation::Reserve& reserve,
+ const Option<std::string>& principal);
+
+ /**
+ * Authorizes an `UNRESERVE` offer operation.
+ *
+ * Returns whether the Unreserve operation is authorized with the
+ * provided principal. This function is used for authorization of
+ * operations originating both from frameworks and operators. Note
+ * that operations may be validated AFTER authorization, so it's
+ * possible that `unreserve` could be malformed.
+ *
+ * @param unreserve The `UNRESERVE` operation to be performed.
+ * @param principal An `Option` containing the principal attempting
+ * this operation.
+ *
+ * @return A `Future` containing a boolean value representing the
+ * success or failure of this authorization. A failed `Future`
+ * implies that validation of the operation did not succeed.
+ */
+ process::Future<bool> authorizeUnreserveResources(
+ const Offer::Operation::Unreserve& unreserve,
+ const Option<std::string>& principal);
+
// Add the task and its executor (if not already running) to the
// framework and slave. Returns the resources consumed as a result,
// which includes resources for the task and its executor