You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ti...@apache.org on 2015/06/08 15:43:02 UTC
[2/2] mesos git commit: Added a flag which controls libprocess
firewall initialzation.
Added a flag which controls libprocess firewall initialzation.
Review: https://reviews.apache.org/r/33296
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/3ef08faf
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/3ef08faf
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/3ef08faf
Branch: refs/heads/master
Commit: 3ef08fafd16909310b1b15b25168061c409b2144
Parents: 70c75c0
Author: Alexander Rojas <al...@mesosphere.io>
Authored: Mon Jun 8 14:17:58 2015 +0200
Committer: Till Toenshoff <to...@me.com>
Committed: Mon Jun 8 14:17:58 2015 +0200
----------------------------------------------------------------------
docs/configuration.md | 23 +++++++++++++++
src/Makefile.am | 8 ++++++
src/master/flags.cpp | 19 +++++++++++++
src/master/flags.hpp | 3 ++
src/master/main.cpp | 21 ++++++++++++++
src/messages/flags.hpp | 65 +++++++++++++++++++++++++++++++++++++++++++
src/messages/flags.proto | 31 +++++++++++++++++++++
src/slave/flags.cpp | 19 +++++++++++++
src/slave/flags.hpp | 3 ++
src/slave/main.cpp | 23 +++++++++++++++
10 files changed, 215 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/3ef08faf/docs/configuration.md
----------------------------------------------------------------------
diff --git a/docs/configuration.md b/docs/configuration.md
index 7d6e786..aaf65bf 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -42,6 +42,29 @@ If you have special compilation requirements, please refer to `./configure --hel
</tr>
<tr>
<td>
+ --firewall_rules=VALUE
+ </td>
+ <td>
+ The value could be a JSON formatted string of rules or a file path
+ containing the JSON formated rules used in the endpoints firewall. Path
+ could be of the form <code>file:///path/to/file</code> or
+ <code>/path/to/file</code>.
+ <p/>
+ See the Firewall message in flags.proto for the expected format.
+ <p/>
+ Example:
+<pre><code>{
+ "disabled_endpoints" : {
+ "paths" : [
+ "/files/browse.json",
+ "/slave(0)/stats.json",
+ ]
+ }
+}</code></pre>
+ </td>
+ </tr>
+ <tr>
+ <td>
--[no-]help
</td>
<td>
http://git-wip-us.apache.org/repos/asf/mesos/blob/3ef08faf/src/Makefile.am
----------------------------------------------------------------------
diff --git a/src/Makefile.am b/src/Makefile.am
index ec7f41f..10b1902 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -195,6 +195,11 @@ PYTHON_PROTOS = \
BUILT_SOURCES += $(CXX_PROTOS) $(JAVA_PROTOS) $(PYTHON_PROTOS)
CLEANFILES += $(CXX_PROTOS) $(JAVA_PROTOS) $(PYTHON_PROTOS)
+FLAGS_PROTOS = messages/flags.pb.cc messages/flags.pb.h
+
+BUILT_SOURCES += $(FLAGS_PROTOS)
+CLEANFILES += $(FLAGS_PROTOS)
+
MESSAGES_PROTOS = messages/messages.pb.cc messages/messages.pb.h
BUILT_SOURCES += $(MESSAGES_PROTOS)
@@ -335,6 +340,7 @@ noinst_LTLIBRARIES += libmesos_no_3rdparty.la
nodist_libmesos_no_3rdparty_la_SOURCES = \
$(CXX_PROTOS) \
+ $(FLAGS_PROTOS) \
$(MESSAGES_PROTOS) \
$(REGISTRY_PROTOS)
@@ -413,6 +419,7 @@ libmesos_no_3rdparty_la_SOURCES = \
zookeeper/zookeeper.cpp \
zookeeper/authentication.cpp \
zookeeper/group.cpp \
+ messages/flags.proto \
messages/messages.proto
pkginclude_HEADERS = \
@@ -605,6 +612,7 @@ libmesos_no_3rdparty_la_SOURCES += \
master/allocator/mesos/hierarchical.hpp \
master/allocator/sorter/drf/sorter.hpp \
master/allocator/sorter/sorter.hpp \
+ messages/flags.hpp \
messages/messages.hpp \
module/manager.hpp \
sched/constants.hpp \
http://git-wip-us.apache.org/repos/asf/mesos/blob/3ef08faf/src/master/flags.cpp
----------------------------------------------------------------------
diff --git a/src/master/flags.cpp b/src/master/flags.cpp
index 49d953a..4377715 100644
--- a/src/master/flags.cpp
+++ b/src/master/flags.cpp
@@ -251,6 +251,25 @@ mesos::internal::master::Flags::Flags()
" ]\n"
"}");
+ add(&Flags::firewall_rules,
+ "firewall_rules",
+ "The value could be a JSON formatted string of rules or a\n"
+ "file path containing the JSON formated rules used in the endpoints\n"
+ "firewall. Path must be of the form 'file:///path/to/file'\n"
+ "or '/path/to/file'.\n"
+ "\n"
+ "See the Firewall message in flags.proto for the expected format.\n"
+ "\n"
+ "Example:\n"
+ "{\n"
+ " \"disabled_endpoints\" : {\n"
+ " \"paths\" : [\n"
+ " \"/files/browse.json\",\n"
+ " \"/slave(0)/stats.json\",\n"
+ " ]\n"
+ " }\n"
+ "}");
+
add(&Flags::rate_limits,
"rate_limits",
"The value could be a JSON formatted string of rate limits\n"
http://git-wip-us.apache.org/repos/asf/mesos/blob/3ef08faf/src/master/flags.hpp
----------------------------------------------------------------------
diff --git a/src/master/flags.hpp b/src/master/flags.hpp
index 84fa238..55ed3a9 100644
--- a/src/master/flags.hpp
+++ b/src/master/flags.hpp
@@ -30,6 +30,8 @@
#include "logging/flags.hpp"
+#include "messages/flags.hpp"
+
namespace mesos {
namespace internal {
namespace master {
@@ -64,6 +66,7 @@ public:
bool authenticate_slaves;
Option<Path> credentials;
Option<ACLs> acls;
+ Option<Firewall> firewall_rules;
Option<RateLimits> rate_limits;
Option<Duration> offer_timeout;
Option<Modules> modules;
http://git-wip-us.apache.org/repos/asf/mesos/blob/3ef08faf/src/master/main.cpp
----------------------------------------------------------------------
diff --git a/src/master/main.cpp b/src/master/main.cpp
index 3d490c3..1c33e3b 100644
--- a/src/master/main.cpp
+++ b/src/master/main.cpp
@@ -89,6 +89,9 @@ using process::Owned;
using process::RateLimiter;
using process::UPID;
+using process::firewall::DisabledEndpointsFirewallRule;
+using process::firewall::FirewallRule;
+
using std::cerr;
using std::cout;
using std::endl;
@@ -340,6 +343,24 @@ int main(int argc, char** argv)
slaveRemovalLimiter = new RateLimiter(permits.get(), duration.get());
}
+ if (flags.firewall_rules.isSome()) {
+ const Firewall rules = flags.firewall_rules.get();
+
+ std::vector<Owned<FirewallRule>> _rules;
+
+ if (rules.has_disabled_endpoints()) {
+ hashset<string> paths;
+
+ for (int i = 0; i < rules.disabled_endpoints().paths_size(); ++i) {
+ paths.insert(rules.disabled_endpoints().paths(i));
+ }
+
+ _rules.emplace_back(new DisabledEndpointsFirewallRule(paths));
+ }
+
+ process::firewall::install(std::move(_rules));
+ }
+
// Create anonymous modules.
foreach (const string& name, ModuleManager::find<Anonymous>()) {
Try<Anonymous*> create = ModuleManager::create<Anonymous>(name);
http://git-wip-us.apache.org/repos/asf/mesos/blob/3ef08faf/src/messages/flags.hpp
----------------------------------------------------------------------
diff --git a/src/messages/flags.hpp b/src/messages/flags.hpp
new file mode 100644
index 0000000..41be419
--- /dev/null
+++ b/src/messages/flags.hpp
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __MESSAGES_FLAGS_HPP__
+#define __MESSAGES_FLAGS_HPP__
+
+#include <string>
+
+#include <stout/error.hpp>
+#include <stout/json.hpp>
+#include <stout/protobuf.hpp>
+#include <stout/try.hpp>
+
+#include <stout/flags/parse.hpp>
+
+#include "common/parse.hpp"
+
+#include "messages/flags.pb.h"
+
+namespace flags {
+
+template <>
+inline Try<mesos::internal::Firewall> parse(const std::string& value)
+{
+ // Convert from string or file to JSON.
+ Try<JSON::Object> json = parse<JSON::Object>(value);
+ if (json.isError()) {
+ return Error(json.error());
+ }
+
+ // Convert from JSON to Protobuf.
+ return protobuf::parse<mesos::internal::Firewall>(json.get());
+}
+
+} // namespace flags {
+
+namespace mesos {
+namespace internal {
+
+inline std::ostream& operator << (
+ std::ostream& stream,
+ const Firewall& rules)
+{
+ return stream << rules.DebugString();
+}
+
+} // namespace internal {
+} // namespace mesos {
+
+#endif // __MESSAGES_FLAGS_HPP__
http://git-wip-us.apache.org/repos/asf/mesos/blob/3ef08faf/src/messages/flags.proto
----------------------------------------------------------------------
diff --git a/src/messages/flags.proto b/src/messages/flags.proto
new file mode 100644
index 0000000..5400c92
--- /dev/null
+++ b/src/messages/flags.proto
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import "mesos/mesos.proto";
+
+package mesos.internal;
+
+// Initializes firewall rules to allow access control of the
+// libprocess endpoints.
+message Firewall {
+ message DisabledEndpointsRule {
+ repeated string paths = 1;
+ }
+
+ optional DisabledEndpointsRule disabled_endpoints = 1;
+}
http://git-wip-us.apache.org/repos/asf/mesos/blob/3ef08faf/src/slave/flags.cpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp
index 1ae106e..99142fb 100644
--- a/src/slave/flags.cpp
+++ b/src/slave/flags.cpp
@@ -263,6 +263,25 @@ mesos::internal::slave::Flags::Flags()
true);
#endif
+ add(&Flags::firewall_rules,
+ "firewall_rules",
+ "The value could be a JSON formatted string of rules or a\n"
+ "file path containing the JSON formated rules used in the endpoints\n"
+ "firewall. Path must be of the form 'file:///path/to/file'\n"
+ "or '/path/to/file'.\n"
+ "\n"
+ "See the Firewall message in flags.proto for the expected format.\n"
+ "\n"
+ "Example:\n"
+ "{\n"
+ " \"disabled_endpoints\" : {\n"
+ " \"paths\" : [\n"
+ " \"/files/browse.json\",\n"
+ " \"/slave(0)/stats.json\",\n"
+ " ]\n"
+ " }\n"
+ "}");
+
add(&Flags::credential,
"credential",
"Either a path to a text with a single line\n"
http://git-wip-us.apache.org/repos/asf/mesos/blob/3ef08faf/src/slave/flags.hpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp
index 32d36ac..6c24e56 100644
--- a/src/slave/flags.hpp
+++ b/src/slave/flags.hpp
@@ -30,6 +30,8 @@
#include "logging/flags.hpp"
+#include "messages/flags.hpp"
+
namespace mesos {
namespace internal {
namespace slave {
@@ -78,6 +80,7 @@ public:
Duration perf_duration;
bool revocable_cpu_low_priority;
#endif
+ Option<Firewall> firewall_rules;
Option<Path> credential;
Option<std::string> containerizer_path;
std::string containerizers;
http://git-wip-us.apache.org/repos/asf/mesos/blob/3ef08faf/src/slave/main.cpp
----------------------------------------------------------------------
diff --git a/src/slave/main.cpp b/src/slave/main.cpp
index af090ae..c379243 100644
--- a/src/slave/main.cpp
+++ b/src/slave/main.cpp
@@ -26,6 +26,7 @@
#include <stout/check.hpp>
#include <stout/flags.hpp>
+#include <stout/hashset.hpp>
#include <stout/nothing.hpp>
#include <stout/os.hpp>
#include <stout/stringify.hpp>
@@ -39,6 +40,7 @@
#include "master/detector.hpp"
+#include "messages/flags.hpp"
#include "messages/messages.hpp"
#include "module/manager.hpp"
@@ -58,6 +60,9 @@ using mesos::slave::ResourceEstimator;
using mesos::SlaveInfo;
+using process::firewall::DisabledEndpointsFirewallRule;
+using process::firewall::FirewallRule;
+
using std::cerr;
using std::cout;
using std::endl;
@@ -174,6 +179,24 @@ int main(int argc, char** argv)
<< "Failed to create a master detector: " << detector.error();
}
+ if (flags.firewall_rules.isSome()) {
+ const Firewall rules = flags.firewall_rules.get();
+
+ std::vector<Owned<FirewallRule>> _rules;
+
+ if (rules.has_disabled_endpoints()) {
+ hashset<string> paths;
+
+ for (int i = 0; i < rules.disabled_endpoints().paths_size(); ++i) {
+ paths.insert(rules.disabled_endpoints().paths(i));
+ }
+
+ _rules.emplace_back(new DisabledEndpointsFirewallRule(paths));
+ }
+
+ process::firewall::install(std::move(_rules));
+ }
+
// Create anonymous modules.
foreach (const string& name, ModuleManager::find<Anonymous>()) {
Try<Anonymous*> create = ModuleManager::create<Anonymous>(name);