You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by me...@apache.org on 2016/12/14 03:37:22 UTC
[2/4] mesos git commit: Enabled fine grained authorization for the
getContainers API Call.
Enabled fine grained authorization for the getContainers API Call.
Enables fine grained authorization for the v1 API call `GET_CONTAINERS`.
Review: https://reviews.apache.org/r/54538/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/982abdb5
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/982abdb5
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/982abdb5
Branch: refs/heads/master
Commit: 982abdb591f87ccf1748a735af4e2a8a84ab4dbe
Parents: 9ec8b5e
Author: Alexander Rojas <al...@mesosphere.io>
Authored: Tue Dec 13 17:28:12 2016 -0800
Committer: Adam B <ad...@mesosphere.io>
Committed: Tue Dec 13 17:28:24 2016 -0800
----------------------------------------------------------------------
src/slave/http.cpp | 148 ++++++++++++++++++++++++++++++++---------------
src/slave/slave.hpp | 6 +-
2 files changed, 105 insertions(+), 49 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/982abdb5/src/slave/http.cpp
----------------------------------------------------------------------
diff --git a/src/slave/http.cpp b/src/slave/http.cpp
index 8a71ead..0210379 100644
--- a/src/slave/http.cpp
+++ b/src/slave/http.cpp
@@ -1810,12 +1810,12 @@ Future<Response> Slave::Http::containers(
principal)
.then(defer(
slave->self(),
- [this, request](bool authorized) -> Future<Response> {
+ [this, request, principal](bool authorized) -> Future<Response> {
if (!authorized) {
return Forbidden();
}
- return _containers(request);
+ return _containers(request, principal);
}));
}
@@ -1823,54 +1823,90 @@ Future<Response> Slave::Http::containers(
Future<Response> Slave::Http::getContainers(
const agent::Call& call,
ContentType acceptType,
- const Option<string>& printcipal) const
+ const Option<string>& principal) const
{
CHECK_EQ(agent::Call::GET_CONTAINERS, call.type());
- return __containers()
- .then([acceptType](const Future<JSON::Array>& result)
- -> Future<Response> {
- if (!result.isReady()) {
- LOG(WARNING) << "Could not collect container status and statistics: "
- << (result.isFailed()
- ? result.failure()
- : "Discarded");
- return result.isFailed()
- ? InternalServerError(result.failure())
- : InternalServerError();
- }
+ Future<Owned<ObjectApprover>> approver;
- return OK(
- serialize(
- acceptType,
- evolve<v1::agent::Response::GET_CONTAINERS>(result.get())),
- stringify(acceptType));
- });
+ if (slave->authorizer.isSome()) {
+ authorization::Subject subject;
+ if (principal.isSome()) {
+ subject.set_value(principal.get());
+ }
+
+ approver = slave->authorizer.get()->getObjectApprover(
+ subject, authorization::VIEW_CONTAINER);
+ } else {
+ approver = Owned<ObjectApprover>(new AcceptingObjectApprover());
+ }
+
+ return approver.then(defer(slave->self(), [this](
+ const Owned<ObjectApprover>& approver) {
+ return __containers(approver);
+ })).then([acceptType](const Future<JSON::Array>& result)
+ -> Future<Response> {
+ if (!result.isReady()) {
+ LOG(WARNING) << "Could not collect container status and statistics: "
+ << (result.isFailed()
+ ? result.failure()
+ : "Discarded");
+ return result.isFailed()
+ ? InternalServerError(result.failure())
+ : InternalServerError();
+ }
+
+ return OK(
+ serialize(
+ acceptType,
+ evolve<v1::agent::Response::GET_CONTAINERS>(result.get())),
+ stringify(acceptType));
+ });
}
-Future<Response> Slave::Http::_containers(const Request& request) const
+Future<Response> Slave::Http::_containers(
+ const Request& request,
+ const Option<string>& principal) const
{
- return __containers()
- .then([request](const Future<JSON::Array>& result) -> Future<Response> {
- if (!result.isReady()) {
- LOG(WARNING) << "Could not collect container status and statistics: "
- << (result.isFailed()
- ? result.failure()
- : "Discarded");
-
- return result.isFailed()
- ? InternalServerError(result.failure())
- : InternalServerError();
- }
+ Future<Owned<ObjectApprover>> approver;
- return process::http::OK(
- result.get(), request.url.query.get("jsonp"));
- });
+ if (slave->authorizer.isSome()) {
+ authorization::Subject subject;
+ if (principal.isSome()) {
+ subject.set_value(principal.get());
+ }
+
+ approver = slave->authorizer.get()->getObjectApprover(
+ subject, authorization::VIEW_CONTAINER);
+ } else {
+ approver = Owned<ObjectApprover>(new AcceptingObjectApprover());
+ }
+
+ return approver.then(defer(slave->self(), [this](
+ const Owned<ObjectApprover>& approver) {
+ return __containers(approver);
+ }))
+ .then([request](const Future<JSON::Array>& result) -> Future<Response> {
+ if (!result.isReady()) {
+ LOG(WARNING) << "Could not collect container status and statistics: "
+ << (result.isFailed()
+ ? result.failure()
+ : "Discarded");
+
+ return result.isFailed()
+ ? InternalServerError(result.failure())
+ : InternalServerError();
+ }
+
+ return process::http::OK(
+ result.get(), request.url.query.get("jsonp"));
+ });
}
-Future<JSON::Array> Slave::Http::__containers() const
+Future<JSON::Array> Slave::Http::__containers(
+ Option<Owned<ObjectApprover>> approver) const
{
Owned<list<JSON::Object>> metadata(new list<JSON::Object>());
list<Future<ContainerStatus>> statusFutures;
@@ -1887,16 +1923,34 @@ Future<JSON::Array> Slave::Http::__containers() const
const ExecutorInfo& info = executor->info;
const ContainerID& containerId = executor->containerId;
- JSON::Object entry;
- entry.values["framework_id"] = info.framework_id().value();
- entry.values["executor_id"] = info.executor_id().value();
- entry.values["executor_name"] = info.name();
- entry.values["source"] = info.source();
- entry.values["container_id"] = containerId.value();
+ Try<bool> authorized = true;
- metadata->push_back(entry);
- statusFutures.push_back(slave->containerizer->status(containerId));
- statsFutures.push_back(slave->containerizer->usage(containerId));
+ if (approver.isSome()) {
+ ObjectApprover::Object object;
+ object.executor_info = &info;
+ object.framework_info = &(framework->info);
+
+ authorized = approver.get()->approved(object);
+
+ if (authorized.isError()) {
+ LOG(WARNING) << "Error during ViewContainer authorization: "
+ << authorized.error();
+ authorized = false;
+ }
+ }
+
+ if (authorized.get()) {
+ JSON::Object entry;
+ entry.values["framework_id"] = info.framework_id().value();
+ entry.values["executor_id"] = info.executor_id().value();
+ entry.values["executor_name"] = info.name();
+ entry.values["source"] = info.source();
+ entry.values["container_id"] = containerId.value();
+
+ metadata->push_back(entry);
+ statusFutures.push_back(slave->containerizer->status(containerId));
+ statsFutures.push_back(slave->containerizer->usage(containerId));
+ }
}
}
http://git-wip-us.apache.org/repos/asf/mesos/blob/982abdb5/src/slave/slave.hpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.hpp b/src/slave/slave.hpp
index 059eb77..be72ba9 100644
--- a/src/slave/slave.hpp
+++ b/src/slave/slave.hpp
@@ -545,10 +545,12 @@ private:
// Continuation for `/containers` endpoint
process::Future<process::http::Response> _containers(
- const process::http::Request& request) const;
+ const process::http::Request& request,
+ const Option<std::string>& principal) const;
// Helper function to collect containers status and resource statistics.
- process::Future<JSON::Array> __containers() const;
+ process::Future<JSON::Array> __containers(
+ Option<process::Owned<ObjectApprover>> approver) const;
// Helper routines for endpoint authorization.
Try<std::string> extractEndpoint(const process::http::URL& url) const;