Refactored authorization logic in the master. This patch makes uses of the new `ObjectApprovers` class which greatly simplifies the logic for constructing and using authorization.
Review: https://reviews.apache.org/r/65312 Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/dc1e188a Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/dc1e188a Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/dc1e188a Branch: refs/heads/master Commit: dc1e188aeef81012dcf0a20df7aad1ade7feca13 Parents: dc9eaeb Author: Alexander Rojas <alexander.ro...@gmail.com> Authored: Wed Jan 24 12:10:20 2018 +0100 Committer: Alexander Rojas <alexan...@mesosphere.io> Committed: Wed Mar 14 18:09:20 2018 +0100 ---------------------------------------------------------------------- src/common/protobuf_utils.cpp | 12 +- src/common/protobuf_utils.hpp | 5 +- src/master/http.cpp | 1534 ++++++++++++++---------------------- src/master/master.cpp | 102 +-- src/master/master.hpp | 36 +- 5 files changed, 628 insertions(+), 1061 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/dc1e188a/src/common/protobuf_utils.cpp ---------------------------------------------------------------------- diff --git a/src/common/protobuf_utils.cpp b/src/common/protobuf_utils.cpp index d2ada35..e0609b6 100644 --- a/src/common/protobuf_utils.cpp +++ b/src/common/protobuf_utils.cpp @@ -63,6 +63,8 @@ using std::vector; using google::protobuf::Map; using google::protobuf::RepeatedPtrField; +using mesos::authorization::VIEW_ROLE; + using mesos::slave::ContainerLimitation; using mesos::slave::ContainerState; @@ -1222,7 +1224,7 @@ mesos::master::Event createFrameworkRemoved(const FrameworkInfo& frameworkInfo) mesos::master::Response::GetAgents::Agent createAgentResponse( const mesos::internal::master::Slave& slave, - const Option<Owned<AuthorizationAcceptor>>& rolesAcceptor) + const Option<Owned<ObjectApprovers>>& approvers) { mesos::master::Response::GetAgents::Agent agent; @@ -1242,27 +1244,27 @@ mesos::master::Response::GetAgents::Agent createAgentResponse( agent.mutable_agent_info()->clear_resources(); foreach (const Resource& resource, slave.info.resources()) { - if (authorizeResource(resource, rolesAcceptor)) { + if (approvers.isNone() || approvers.get()->approved<VIEW_ROLE>(resource)) { agent.mutable_agent_info()->add_resources()->CopyFrom(resource); } } foreach (Resource resource, slave.totalResources) { - if (authorizeResource(resource, rolesAcceptor)) { + if (approvers.isNone() || approvers.get()->approved<VIEW_ROLE>(resource)) { convertResourceFormat(&resource, ENDPOINT); agent.add_total_resources()->CopyFrom(resource); } } foreach (Resource resource, Resources::sum(slave.usedResources)) { - if (authorizeResource(resource, rolesAcceptor)) { + if (approvers.isNone() || approvers.get()->approved<VIEW_ROLE>(resource)) { convertResourceFormat(&resource, ENDPOINT); agent.add_allocated_resources()->CopyFrom(resource); } } foreach (Resource resource, slave.offeredResources) { - if (authorizeResource(resource, rolesAcceptor)) { + if (approvers.isNone() || approvers.get()->approved<VIEW_ROLE>(resource)) { convertResourceFormat(&resource, ENDPOINT); agent.add_offered_resources()->CopyFrom(resource); } http://git-wip-us.apache.org/repos/asf/mesos/blob/dc1e188a/src/common/protobuf_utils.hpp ---------------------------------------------------------------------- diff --git a/src/common/protobuf_utils.hpp b/src/common/protobuf_utils.hpp index 2ef1c9a..b33d126 100644 --- a/src/common/protobuf_utils.hpp +++ b/src/common/protobuf_utils.hpp @@ -52,7 +52,7 @@ struct UPID; namespace mesos { -class AuthorizationAcceptor; +class ObjectApprovers; namespace internal { @@ -419,8 +419,7 @@ mesos::master::Event createFrameworkRemoved(const FrameworkInfo& frameworkInfo); // Helper for creating an `Agent` response. mesos::master::Response::GetAgents::Agent createAgentResponse( const mesos::internal::master::Slave& slave, - const Option<process::Owned<AuthorizationAcceptor>>& rolesAcceptor = - None()); + const Option<process::Owned<ObjectApprovers>>& approvers = None()); // Helper for creating an `AGENT_ADDED` event from a `Slave`.
