Repository: mesos Updated Branches: refs/heads/master ea9470c6c -> 768d6fc7e
Removed code which is not used. The introduction of the `ObjectApprovers` abstraction rendered the `AuthorizationAcceptor` class obsolete. After the refactor of the code the acceptor class was no longer used, nor were the helper functions built around it. This patch removes that obsolete code. Review: https://reviews.apache.org/r/65314 Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/768d6fc7 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/768d6fc7 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/768d6fc7 Branch: refs/heads/master Commit: 768d6fc7ee4bfffffb1adde2362ed36dc267ed9e Parents: 83dd7f8 Author: Alexander Rojas <alexander.ro...@gmail.com> Authored: Wed Jan 24 18:17:56 2018 +0100 Committer: Alexander Rojas <alexan...@mesosphere.io> Committed: Wed Mar 14 18:09:20 2018 +0100 ---------------------------------------------------------------------- src/common/http.cpp | 147 ----------------------------------------------- src/common/http.hpp | 73 ----------------------- 2 files changed, 220 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/768d6fc7/src/common/http.cpp ---------------------------------------------------------------------- diff --git a/src/common/http.cpp b/src/common/http.cpp index 99d84cd..03f539f 100644 --- a/src/common/http.cpp +++ b/src/common/http.cpp @@ -898,84 +898,6 @@ Future<Owned<ObjectApprovers>> ObjectApprovers::create( } -bool approveViewFrameworkInfo( - const Owned<ObjectApprover>& frameworksApprover, - const FrameworkInfo& frameworkInfo) -{ - Try<bool> approved = - frameworksApprover->approved(ObjectApprover::Object(frameworkInfo)); - if (approved.isError()) { - LOG(WARNING) << "Error during FrameworkInfo authorization: " - << approved.error(); - // TODO(joerg84): Consider exposing these errors to the caller. - return false; - } - return approved.get(); -} - - -bool approveViewExecutorInfo( - const Owned<ObjectApprover>& executorsApprover, - const ExecutorInfo& executorInfo, - const FrameworkInfo& frameworkInfo) -{ - Try<bool> approved = executorsApprover->approved( - ObjectApprover::Object(executorInfo, frameworkInfo)); - if (approved.isError()) { - LOG(WARNING) << "Error during ExecutorInfo authorization: " - << approved.error(); - // TODO(joerg84): Consider exposing these errors to the caller. - return false; - } - return approved.get(); -} - - -bool approveViewTaskInfo( - const Owned<ObjectApprover>& tasksApprover, - const TaskInfo& taskInfo, - const FrameworkInfo& frameworkInfo) -{ - Try<bool> approved = - tasksApprover->approved(ObjectApprover::Object(taskInfo, frameworkInfo)); - if (approved.isError()) { - LOG(WARNING) << "Error during TaskInfo authorization: " << approved.error(); - // TODO(joerg84): Consider exposing these errors to the caller. - return false; - } - return approved.get(); -} - - -bool approveViewTask( - const Owned<ObjectApprover>& tasksApprover, - const Task& task, - const FrameworkInfo& frameworkInfo) -{ - Try<bool> approved = - tasksApprover->approved(ObjectApprover::Object(task, frameworkInfo)); - if (approved.isError()) { - LOG(WARNING) << "Error during Task authorization: " << approved.error(); - // TODO(joerg84): Consider exposing these errors to the caller. - return false; - } - return approved.get(); -} - - -bool approveViewFlags( - const Owned<ObjectApprover>& flagsApprover) -{ - Try<bool> approved = flagsApprover->approved(ObjectApprover::Object()); - if (approved.isError()) { - LOG(WARNING) << "Error during Flags authorization: " << approved.error(); - // TODO(joerg84): Consider exposing these errors to the caller. - return false; - } - return approved.get(); -} - - process::Future<bool> authorizeEndpoint( const string& endpoint, const string& method, @@ -1018,52 +940,6 @@ process::Future<bool> authorizeEndpoint( } -bool approveViewRole( - const Owned<ObjectApprover>& rolesApprover, - const string& role) -{ - Try<bool> approved = rolesApprover->approved(ObjectApprover::Object(role)); - if (approved.isError()) { - LOG(WARNING) << "Error during Roles authorization: " << approved.error(); - // TODO(joerg84): Consider exposing these errors to the caller. - return false; - } - return approved.get(); -} - - -bool authorizeResource( - const Resource& resource, - const Option<Owned<AuthorizationAcceptor>>& acceptor) -{ - if (acceptor.isNone()) { - return true; - } - - // Necessary because recovered agents are presented in old format. - if (resource.has_role() && resource.role() != "*" && - !acceptor.get()->accept(resource.role())) { - return false; - } - - if (resource.has_allocation_info() && - !acceptor.get()->accept(resource.allocation_info().role())) { - return false; - } - - // Reservations follow a path model where each entry is a child of the - // previous one. Therefore, to accept the resource the acceptor has to - // accept all entries. - foreach (Resource::ReservationInfo reservation, resource.reservations()) { - if (!acceptor.get()->accept(reservation.role())) { - return false; - } - } - - return true; -} - - namespace { Result<process::http::authentication::Authenticator*> createBasicAuthenticator( @@ -1230,27 +1106,4 @@ void logRequest(const process::http::Request& request) : ""); } - -Future<Owned<AuthorizationAcceptor>> AuthorizationAcceptor::create( - const Option<Principal>& principal, - const Option<Authorizer*>& authorizer, - const authorization::Action& action) -{ - if (authorizer.isNone()) { - return Owned<AuthorizationAcceptor>( - new AuthorizationAcceptor(Owned<ObjectApprover>( - new AcceptingObjectApprover()))); - } - - const Option<authorization::Subject> subject = - authorization::createSubject(principal); - - return authorizer.get()->getObjectApprover(subject, action) - .then([=](const Owned<ObjectApprover>& approver) { - return Owned<AuthorizationAcceptor>( - new AuthorizationAcceptor(approver)); - }); -} - - } // namespace mesos { http://git-wip-us.apache.org/repos/asf/mesos/blob/768d6fc7/src/common/http.hpp ---------------------------------------------------------------------- diff --git a/src/common/http.hpp b/src/common/http.hpp index d92ae2b..76e8f71 100644 --- a/src/common/http.hpp +++ b/src/common/http.hpp @@ -266,39 +266,6 @@ inline bool ObjectApprovers::approved<authorization::VIEW_ROLE>( } -// Determines which objects will be accepted based on authorization. -class AuthorizationAcceptor -{ -public: - static process::Future<process::Owned<AuthorizationAcceptor>> create( - const Option<process::http::authentication::Principal>& principal, - const Option<Authorizer*>& authorizer, - const authorization::Action& action); - - template <typename... Args> - bool accept(Args&... args) - { - Try<bool> approved = - objectApprover->approved(ObjectApprover::Object(args...)); - if (approved.isError()) { - LOG(WARNING) << "Error during authorization: " << approved.error(); - return false; - } - - return approved.get(); - } - -protected: - // TODO(qleng): Currently, `Owned` is implemented with `shared_ptr` and allows - // copying. In the future, if `Owned` is implemented with `unique_ptr`, we - // will need to pass by rvalue reference here instead (see MESOS-5122). - AuthorizationAcceptor(const process::Owned<ObjectApprover>& approver) - : objectApprover(approver) {} - - const process::Owned<ObjectApprover> objectApprover; -}; - - /** * Used to filter results for API handlers. Provides the 'accept()' method to * test whether the supplied ID is equal to a stored target ID. If no target @@ -331,32 +298,6 @@ protected: }; -bool approveViewFrameworkInfo( - const process::Owned<ObjectApprover>& frameworksApprover, - const FrameworkInfo& frameworkInfo); - - -bool approveViewExecutorInfo( - const process::Owned<ObjectApprover>& executorsApprover, - const ExecutorInfo& executorInfo, - const FrameworkInfo& frameworkInfo); - - -bool approveViewTaskInfo( - const process::Owned<ObjectApprover>& tasksApprover, - const TaskInfo& taskInfo, - const FrameworkInfo& frameworkInfo); - - -bool approveViewTask( - const process::Owned<ObjectApprover>& tasksApprover, - const Task& task, - const FrameworkInfo& frameworkInfo); - - -bool approveViewFlags(const process::Owned<ObjectApprover>& flagsApprover); - - // Authorizes access to an HTTP endpoint. The `method` parameter // determines which ACL action will be used in the authorization. // It is expected that the caller has validated that `method` is @@ -371,20 +312,6 @@ process::Future<bool> authorizeEndpoint( const Option<process::http::authentication::Principal>& principal); -bool approveViewRole( - const process::Owned<ObjectApprover>& rolesApprover, - const std::string& role); - - -// Authorizes resources in either the pre- or the post-reservation-refinement -// formats. -// TODO(arojas): Update this helper to only accept the -// post-reservation-refinement format once MESOS-7851 is resolved. -bool authorizeResource( - const Resource& resource, - const Option<process::Owned<AuthorizationAcceptor>>& acceptor); - - /** * Helper function to create HTTP authenticators * for a given realm and register in libprocess.
