You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by vi...@apache.org on 2014/05/22 03:26:43 UTC
git commit: Integrate Authorizer into Master.
Repository: mesos
Updated Branches:
refs/heads/master b91cb092a -> 0dda82203
Integrate Authorizer into Master.
Review: https://reviews.apache.org/r/21723
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/0dda8220
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/0dda8220
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/0dda8220
Branch: refs/heads/master
Commit: 0dda8220396fbb788f25a0f08dd3ab39e6879bd9
Parents: b91cb09
Author: Vinod Kone <vi...@twitter.com>
Authored: Fri May 16 14:37:28 2014 -0700
Committer: Vinod Kone <vi...@twitter.com>
Committed: Wed May 21 18:25:25 2014 -0700
----------------------------------------------------------------------
src/authorizer/authorizer.hpp | 18 +++++++++++-------
src/master/flags.hpp | 26 ++++++++++++++++++++++++++
src/master/master.cpp | 12 ++++++++++++
src/master/master.hpp | 4 ++++
src/tests/mesos.cpp | 4 ++++
5 files changed, 57 insertions(+), 7 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/0dda8220/src/authorizer/authorizer.hpp
----------------------------------------------------------------------
diff --git a/src/authorizer/authorizer.hpp b/src/authorizer/authorizer.hpp
index a8fde5a..b0d1eae 100644
--- a/src/authorizer/authorizer.hpp
+++ b/src/authorizer/authorizer.hpp
@@ -34,12 +34,11 @@
#include <stout/check.hpp>
#include <stout/hashmap.hpp>
#include <stout/hashset.hpp>
+#include <stout/protobuf.hpp>
#include <stout/try.hpp>
#include "mesos/mesos.hpp"
-#include "master/flags.hpp"
-
namespace mesos {
namespace internal {
@@ -52,8 +51,8 @@ class Authorizer
public:
virtual ~Authorizer() {}
- // Attempts to create an Authorizer based on the flags.
- static Try<process::Owned<Authorizer> > create(const master::Flags& flags);
+ // Attempts to create an Authorizer based on the ACLs.
+ static Try<process::Owned<Authorizer> > create(const JSON::Object& acls);
// Returns true if the ACL can be satisfied or false otherwise.
// A failed future indicates a transient failure and the user
@@ -277,11 +276,16 @@ private:
};
-Try<process::Owned<Authorizer> > Authorizer::create(const master::Flags& flags)
+Try<process::Owned<Authorizer> > Authorizer::create(const JSON::Object& acls_)
{
- // TODO(vinod): Parse "flags.acls" from JSON to "ACLs" protobuf.
+ // Convert ACLs from JSON to Protobuf.
+ Try<ACLs> acls = protobuf::parse<ACLs>(acls_);
+ if (acls.isError()) {
+ return Error("Invalid ACLs format: " + acls.error());
+ }
+
Try<process::Owned<LocalAuthorizer> > authorizer =
- LocalAuthorizer::create(ACLs());
+ LocalAuthorizer::create(acls.get());
if (authorizer.isError()) {
return Error(authorizer.error());
http://git-wip-us.apache.org/repos/asf/mesos/blob/0dda8220/src/master/flags.hpp
----------------------------------------------------------------------
diff --git a/src/master/flags.hpp b/src/master/flags.hpp
index db21ab0..e890227 100644
--- a/src/master/flags.hpp
+++ b/src/master/flags.hpp
@@ -23,6 +23,8 @@
#include <stout/duration.hpp>
#include <stout/flags.hpp>
+#include <stout/json.hpp>
+#include <stout/option.hpp>
#include "logging/flags.hpp"
@@ -204,6 +206,29 @@ public:
"Path to a file with a list of credentials.\n"
"Each line contains 'principal' and 'secret' separated by whitespace.\n"
"Path could be of the form 'file:///path/to/file' or '/path/to/file'.");
+
+ add(&Flags::acls,
+ "acls",
+ "The value could be a JSON formatted string of ACLs\n"
+ "or a file path containing the JSON formatted ACLs used\n"
+ "for authorization. Path could be of the form 'file:///path/to/file'\n"
+ "or '/path/to/file'.\n"
+ "\n"
+ "See the ACL protobuf in mesos.proto for the expected format.\n"
+ "\n"
+ "Example:\n"
+ "{\n"
+ " \"run_tasks\": [\n"
+ " {\n"
+ " \"principals\": { values: [\"foo\", \"bar\"] },\n"
+ " \"users\": { values: [\"root\"] }\n"
+ " },\n"
+ " {\n"
+ " \"principals\": { type: \"ANY\" },\n"
+ " \"users\": { values: [\"guest\"] }\n"
+ " }\n"
+ " ]\n"
+ "}");
}
bool version;
@@ -230,6 +255,7 @@ public:
bool authenticate_frameworks;
bool authenticate_slaves;
Option<std::string> credentials;
+ Option<JSON::Object> acls;
};
} // namespace mesos {
http://git-wip-us.apache.org/repos/asf/mesos/blob/0dda8220/src/master/master.cpp
----------------------------------------------------------------------
diff --git a/src/master/master.cpp b/src/master/master.cpp
index dc078de..e5d8edf 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -44,6 +44,8 @@
#include <stout/utils.hpp>
#include <stout/uuid.hpp>
+#include "authorizer/authorizer.hpp"
+
#include "sasl/authenticator.hpp"
#include "common/build.hpp"
@@ -334,6 +336,16 @@ void Master::initialize()
<< " (see --credentials flag)";
}
+ if (flags.acls.isSome()) {
+ LOG(INFO) << "Master enabling authorization";
+ Try<Owned<Authorizer> > authorizer_ = Authorizer::create(flags.acls.get());
+ if (authorizer_.isError()) {
+ EXIT(1) << "Failed to initialize the Authorizer: "
+ << authorizer_.error() << " (see --acls flag)";
+ }
+ authorizer = authorizer_.get();
+ }
+
hashmap<string, RoleInfo> roleInfos;
// Add the default role.
http://git-wip-us.apache.org/repos/asf/mesos/blob/0dda8220/src/master/master.hpp
----------------------------------------------------------------------
diff --git a/src/master/master.hpp b/src/master/master.hpp
index 6f51ead..99c7063 100644
--- a/src/master/master.hpp
+++ b/src/master/master.hpp
@@ -72,6 +72,8 @@ namespace sasl {
class Authenticator;
}
+class Authorizer;
+
namespace master {
// Forward declarations.
@@ -457,6 +459,8 @@ private:
// Authenticated frameworks/slaves keyed by PID.
hashset<process::UPID> authenticated;
+ Option<process::Owned<Authorizer> > authorizer;
+
int64_t nextFrameworkId; // Used to give each framework a unique ID.
int64_t nextOfferId; // Used to give each slot offer a unique ID.
int64_t nextSlaveId; // Used to give each slave a unique ID.
http://git-wip-us.apache.org/repos/asf/mesos/blob/0dda8220/src/tests/mesos.cpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.cpp b/src/tests/mesos.cpp
index 7e5e96a..3065ae3 100644
--- a/src/tests/mesos.cpp
+++ b/src/tests/mesos.cpp
@@ -20,6 +20,7 @@
#include <stout/check.hpp>
#include <stout/foreach.hpp>
+#include <stout/json.hpp>
#include <stout/os.hpp>
#include <stout/path.hpp>
#include <stout/result.hpp>
@@ -98,6 +99,9 @@ master::Flags MesosTest::CreateMasterFlags()
flags.credentials = "file://" + path;
+ // Set default ACLs.
+ flags.acls = JSON::Object();
+
// Use the replicated log (without ZooKeeper) by default.
flags.registry = "replicated_log";
flags.registry_strict = true;