[3/5] mesos git commit: Added 'Master::authorize(Un)reserveResources()' for Reserve/Unreserve.

[ji...@apache.org]

Added 'Master::authorize(Un)reserveResources()' for Reserve/Unreserve.

Note: this review is continued from https://reviews.apache.org/r/37125/

Review: https://reviews.apache.org/r/39987


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/1ceb5732
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/1ceb5732
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/1ceb5732

Branch: refs/heads/master
Commit: 1ceb573226254b61ab6a7af35396e55e5a9cc8f6
Parents: a5af5f3
Author: Greg Mann <gr...@mesosphere.io>
Authored: Wed Dec 2 12:10:24 2015 -0800
Committer: Jie Yu <yu...@gmail.com>
Committed: Wed Dec 2 15:06:52 2015 -0800

----------------------------------------------------------------------
 src/master/master.cpp | 64 ++++++++++++++++++++++++++++++++++++++++++++++
 src/master/master.hpp | 42 ++++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/1ceb5732/src/master/master.cpp
----------------------------------------------------------------------
diff --git a/src/master/master.cpp b/src/master/master.cpp
index 2d6e14e..5f912f8 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -2756,6 +2756,70 @@ Future<bool> Master::authorizeTask(
 }
 
 
+Future<bool> Master::authorizeReserveResources(
+    const Offer::Operation::Reserve& reserve,
+    const Option<string>& principal)
+{
+  if (authorizer.isNone()) {
+    return true; // Authorization is disabled.
+  }
+
+  mesos::ACL::ReserveResources request;
+
+  if (principal.isSome()) {
+    request.mutable_principals()->add_values(principal.get());
+  } else {
+    request.mutable_principals()->set_type(ACL::Entity::ANY);
+  }
+
+  // TODO(mpark): Determine what kinds of constraints we may want to
+  // enforce on resources. Currently, we simply use ANY.
+  request.mutable_resources()->set_type(ACL::Entity::ANY);
+
+  LOG(INFO) << "Authorizing principal '"
+            << (principal.isSome() ? principal.get() : "ANY")
+            << "' to reserve resources '" << reserve.resources() << "'";
+
+  return authorizer.get()->authorize(request);
+}
+
+
+Future<bool> Master::authorizeUnreserveResources(
+    const Offer::Operation::Unreserve& unreserve,
+    const Option<string>& principal)
+{
+  if (authorizer.isNone()) {
+    return true; // Authorization is disabled.
+  }
+
+  mesos::ACL::UnreserveResources request;
+
+  if (principal.isSome()) {
+    request.mutable_principals()->add_values(principal.get());
+  } else {
+    request.mutable_principals()->set_type(ACL::Entity::ANY);
+  }
+
+  foreach (const Resource& resource, unreserve.resources()) {
+    // NOTE: Since validation of this operation is performed after
+    // authorization, we must check here that this resource is
+    // dynamically reserved. If it isn't, the error will be caught
+    // during validation.
+    if (Resources::isDynamicallyReserved(resource)) {
+      request.mutable_reserver_principals()->add_values(
+          resource.reservation().principal());
+    }
+  }
+
+  LOG(INFO)
+    << "Authorizing principal '"
+    << (principal.isSome() ? principal.get() : "ANY")
+    << "' to unreserve resources '" << unreserve.resources() << "'";
+
+  return authorizer.get()->authorize(request);
+}
+
+
 Resources Master::addTask(
     const TaskInfo& task,
     Framework* framework,

http://git-wip-us.apache.org/repos/asf/mesos/blob/1ceb5732/src/master/master.hpp
----------------------------------------------------------------------
diff --git a/src/master/master.hpp b/src/master/master.hpp
index d827294..4683fa5 100644
--- a/src/master/master.hpp
+++ b/src/master/master.hpp
@@ -683,6 +683,48 @@ protected:
       const TaskInfo& task,
       Framework* framework);
 
+  /**
+   * Authorizes a `RESERVE` offer operation.
+   *
+   * Returns whether the Reserve operation is authorized with the
+   * provided principal. This function is used for authorization of
+   * operations originating from both frameworks and operators. Note
+   * that operations may be validated AFTER authorization, so it's
+   * possible that `reserve` could be malformed.
+   *
+   * @param reserve The `RESERVE` operation to be performed.
+   * @param principal An `Option` containing the principal attempting
+   *     this operation.
+   *
+   * @return A `Future` containing a boolean value representing the
+   *     success or failure of this authorization. A failed `Future`
+   *     implies that validation of the operation did not succeed.
+   */
+  process::Future<bool> authorizeReserveResources(
+      const Offer::Operation::Reserve& reserve,
+      const Option<std::string>& principal);
+
+  /**
+   * Authorizes an `UNRESERVE` offer operation.
+   *
+   * Returns whether the Unreserve operation is authorized with the
+   * provided principal. This function is used for authorization of
+   * operations originating both from frameworks and operators. Note
+   * that operations may be validated AFTER authorization, so it's
+   * possible that `unreserve` could be malformed.
+   *
+   * @param unreserve The `UNRESERVE` operation to be performed.
+   * @param principal An `Option` containing the principal attempting
+   *     this operation.
+   *
+   * @return A `Future` containing a boolean value representing the
+   *     success or failure of this authorization. A failed `Future`
+   *     implies that validation of the operation did not succeed.
+   */
+  process::Future<bool> authorizeUnreserveResources(
+      const Offer::Operation::Unreserve& unreserve,
+      const Option<std::string>& principal);
+
   // Add the task and its executor (if not already running) to the
   // framework and slave. Returns the resources consumed as a result,
   // which includes resources for the task and its executor