You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by vi...@apache.org on 2014/05/22 03:26:43 UTC

git commit: Integrate Authorizer into Master.

Repository: mesos
Updated Branches:
  refs/heads/master b91cb092a -> 0dda82203


Integrate Authorizer into Master.

Review: https://reviews.apache.org/r/21723


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/0dda8220
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/0dda8220
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/0dda8220

Branch: refs/heads/master
Commit: 0dda8220396fbb788f25a0f08dd3ab39e6879bd9
Parents: b91cb09
Author: Vinod Kone <vi...@twitter.com>
Authored: Fri May 16 14:37:28 2014 -0700
Committer: Vinod Kone <vi...@twitter.com>
Committed: Wed May 21 18:25:25 2014 -0700

----------------------------------------------------------------------
 src/authorizer/authorizer.hpp | 18 +++++++++++-------
 src/master/flags.hpp          | 26 ++++++++++++++++++++++++++
 src/master/master.cpp         | 12 ++++++++++++
 src/master/master.hpp         |  4 ++++
 src/tests/mesos.cpp           |  4 ++++
 5 files changed, 57 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/0dda8220/src/authorizer/authorizer.hpp
----------------------------------------------------------------------
diff --git a/src/authorizer/authorizer.hpp b/src/authorizer/authorizer.hpp
index a8fde5a..b0d1eae 100644
--- a/src/authorizer/authorizer.hpp
+++ b/src/authorizer/authorizer.hpp
@@ -34,12 +34,11 @@
 #include <stout/check.hpp>
 #include <stout/hashmap.hpp>
 #include <stout/hashset.hpp>
+#include <stout/protobuf.hpp>
 #include <stout/try.hpp>
 
 #include "mesos/mesos.hpp"
 
-#include "master/flags.hpp"
-
 namespace mesos {
 namespace internal {
 
@@ -52,8 +51,8 @@ class Authorizer
 public:
   virtual ~Authorizer() {}
 
-  // Attempts to create an Authorizer based on the flags.
-  static Try<process::Owned<Authorizer> > create(const master::Flags& flags);
+  // Attempts to create an Authorizer based on the ACLs.
+  static Try<process::Owned<Authorizer> > create(const JSON::Object& acls);
 
   // Returns true if the ACL can be satisfied or false otherwise.
   // A failed future indicates a transient failure and the user
@@ -277,11 +276,16 @@ private:
 };
 
 
-Try<process::Owned<Authorizer> > Authorizer::create(const master::Flags& flags)
+Try<process::Owned<Authorizer> > Authorizer::create(const JSON::Object& acls_)
 {
-  // TODO(vinod): Parse "flags.acls" from JSON to "ACLs" protobuf.
+  // Convert ACLs from JSON to Protobuf.
+  Try<ACLs> acls = protobuf::parse<ACLs>(acls_);
+  if (acls.isError()) {
+    return Error("Invalid ACLs format: " + acls.error());
+  }
+
   Try<process::Owned<LocalAuthorizer> > authorizer =
-    LocalAuthorizer::create(ACLs());
+    LocalAuthorizer::create(acls.get());
 
   if (authorizer.isError()) {
     return Error(authorizer.error());

http://git-wip-us.apache.org/repos/asf/mesos/blob/0dda8220/src/master/flags.hpp
----------------------------------------------------------------------
diff --git a/src/master/flags.hpp b/src/master/flags.hpp
index db21ab0..e890227 100644
--- a/src/master/flags.hpp
+++ b/src/master/flags.hpp
@@ -23,6 +23,8 @@
 
 #include <stout/duration.hpp>
 #include <stout/flags.hpp>
+#include <stout/json.hpp>
+#include <stout/option.hpp>
 
 #include "logging/flags.hpp"
 
@@ -204,6 +206,29 @@ public:
         "Path to a file with a list of credentials.\n"
         "Each line contains 'principal' and 'secret' separated by whitespace.\n"
         "Path could be of the form 'file:///path/to/file' or '/path/to/file'.");
+
+    add(&Flags::acls,
+        "acls",
+        "The value could be a JSON formatted string of ACLs\n"
+        "or a file path containing the JSON formatted ACLs used\n"
+        "for authorization. Path could be of the form 'file:///path/to/file'\n"
+        "or '/path/to/file'.\n"
+        "\n"
+        "See the ACL protobuf in mesos.proto for the expected format.\n"
+        "\n"
+        "Example:\n"
+        "{\n"
+        "  \"run_tasks\": [\n"
+        "                  {\n"
+        "                     \"principals\": { values: [\"foo\", \"bar\"] },\n"
+        "                     \"users\": { values: [\"root\"] }\n"
+        "                  },\n"
+        "                  {\n"
+        "                     \"principals\": { type: \"ANY\" },\n"
+        "                     \"users\": { values: [\"guest\"] }\n"
+        "                  }\n"
+        "                ]\n"
+        "}");
   }
 
   bool version;
@@ -230,6 +255,7 @@ public:
   bool authenticate_frameworks;
   bool authenticate_slaves;
   Option<std::string> credentials;
+  Option<JSON::Object> acls;
 };
 
 } // namespace mesos {

http://git-wip-us.apache.org/repos/asf/mesos/blob/0dda8220/src/master/master.cpp
----------------------------------------------------------------------
diff --git a/src/master/master.cpp b/src/master/master.cpp
index dc078de..e5d8edf 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -44,6 +44,8 @@
 #include <stout/utils.hpp>
 #include <stout/uuid.hpp>
 
+#include "authorizer/authorizer.hpp"
+
 #include "sasl/authenticator.hpp"
 
 #include "common/build.hpp"
@@ -334,6 +336,16 @@ void Master::initialize()
             << " (see --credentials flag)";
   }
 
+  if (flags.acls.isSome()) {
+    LOG(INFO) << "Master enabling authorization";
+    Try<Owned<Authorizer> > authorizer_ = Authorizer::create(flags.acls.get());
+    if (authorizer_.isError()) {
+      EXIT(1) << "Failed to initialize the Authorizer: "
+              << authorizer_.error() << " (see --acls flag)";
+    }
+    authorizer = authorizer_.get();
+  }
+
   hashmap<string, RoleInfo> roleInfos;
 
   // Add the default role.

http://git-wip-us.apache.org/repos/asf/mesos/blob/0dda8220/src/master/master.hpp
----------------------------------------------------------------------
diff --git a/src/master/master.hpp b/src/master/master.hpp
index 6f51ead..99c7063 100644
--- a/src/master/master.hpp
+++ b/src/master/master.hpp
@@ -72,6 +72,8 @@ namespace sasl {
 class Authenticator;
 }
 
+class Authorizer;
+
 namespace master {
 
 // Forward declarations.
@@ -457,6 +459,8 @@ private:
   // Authenticated frameworks/slaves keyed by PID.
   hashset<process::UPID> authenticated;
 
+  Option<process::Owned<Authorizer> > authorizer;
+
   int64_t nextFrameworkId; // Used to give each framework a unique ID.
   int64_t nextOfferId;     // Used to give each slot offer a unique ID.
   int64_t nextSlaveId;     // Used to give each slave a unique ID.

http://git-wip-us.apache.org/repos/asf/mesos/blob/0dda8220/src/tests/mesos.cpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.cpp b/src/tests/mesos.cpp
index 7e5e96a..3065ae3 100644
--- a/src/tests/mesos.cpp
+++ b/src/tests/mesos.cpp
@@ -20,6 +20,7 @@
 
 #include <stout/check.hpp>
 #include <stout/foreach.hpp>
+#include <stout/json.hpp>
 #include <stout/os.hpp>
 #include <stout/path.hpp>
 #include <stout/result.hpp>
@@ -98,6 +99,9 @@ master::Flags MesosTest::CreateMasterFlags()
 
   flags.credentials = "file://" + path;
 
+  // Set default ACLs.
+  flags.acls = JSON::Object();
+
   // Use the replicated log (without ZooKeeper) by default.
   flags.registry = "replicated_log";
   flags.registry_strict = true;