Repository: mesos Updated Branches: refs/heads/master 7fb8c3475 -> 58cd54459
Added an authorizer action for viewing of resource provider information. Review: https://reviews.apache.org/r/68103/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/d9a6c55e Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/d9a6c55e Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/d9a6c55e Branch: refs/heads/master Commit: d9a6c55e67bdaa07c7d5712997969b180654021c Parents: 7fb8c34 Author: Benjamin Bannier <benjamin.bann...@mesosphere.io> Authored: Wed Aug 1 11:30:54 2018 -0700 Committer: Chun-Hung Hsiao <chhs...@mesosphere.io> Committed: Wed Aug 1 11:30:54 2018 -0700 ---------------------------------------------------------------------- include/mesos/authorizer/acls.proto | 11 ++++++ include/mesos/authorizer/authorizer.proto | 4 ++ src/authorizer/local/authorizer.cpp | 23 +++++++++++ src/tests/authorization_tests.cpp | 54 ++++++++++++++++++++++++++ 4 files changed, 92 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/d9a6c55e/include/mesos/authorizer/acls.proto ---------------------------------------------------------------------- diff --git a/include/mesos/authorizer/acls.proto b/include/mesos/authorizer/acls.proto index 1777c04..f5d2580 100644 --- a/include/mesos/authorizer/acls.proto +++ b/include/mesos/authorizer/acls.proto @@ -556,6 +556,16 @@ message ACL { // Objects: The list of roles for which volume disks can be destroyed. required Entity roles = 2; } + + // Which principals are authorized to access resource provider information. + message ViewResourceProvider { + // Subjects: HTTP Username. + required Entity principals = 1; + + // Objects: Given implicitly. Use Entity type ANY or NONE to allow or deny + // access. + required Entity resource_providers = 2; + } } @@ -639,4 +649,5 @@ message ACLs { repeated ACL.DestroyBlockDisk destroy_block_disks = 50; repeated ACL.CreateMountDisk create_mount_disks = 51; repeated ACL.DestroyMountDisk destroy_mount_disks = 52; + repeated ACL.ViewResourceProvider view_resource_providers = 53; } http://git-wip-us.apache.org/repos/asf/mesos/blob/d9a6c55e/include/mesos/authorizer/authorizer.proto ---------------------------------------------------------------------- diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto index 8b5fa09..7330416 100644 --- a/include/mesos/authorizer/authorizer.proto +++ b/include/mesos/authorizer/authorizer.proto @@ -269,6 +269,10 @@ enum Action { // `DESTROY_MOUNT_DISK` will have an object with `Resource` set. DESTROY_MOUNT_DISK = 46; + + // This action will not fill in any object fields. A principal is either + // allowed to view resource provider information or is unauthorized. + VIEW_RESOURCE_PROVIDER = 47; } http://git-wip-us.apache.org/repos/asf/mesos/blob/d9a6c55e/src/authorizer/local/authorizer.cpp ---------------------------------------------------------------------- diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp index abf5b46..f99b88e 100644 --- a/src/authorizer/local/authorizer.cpp +++ b/src/authorizer/local/authorizer.cpp @@ -413,6 +413,7 @@ public: case authorization::UPDATE_MAINTENANCE_SCHEDULE: case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG: case authorization::PRUNE_IMAGES: + case authorization::VIEW_RESOURCE_PROVIDER: aclObject.set_type(ACL::Entity::ANY); break; @@ -731,6 +732,7 @@ public: case authorization::WAIT_NESTED_CONTAINER: case authorization::WAIT_STANDALONE_CONTAINER: case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG: + case authorization::VIEW_RESOURCE_PROVIDER: case authorization::UNKNOWN: UNREACHABLE(); } @@ -975,6 +977,7 @@ public: case authorization::WAIT_NESTED_CONTAINER: case authorization::WAIT_STANDALONE_CONTAINER: case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG: + case authorization::VIEW_RESOURCE_PROVIDER: UNREACHABLE(); } @@ -1193,6 +1196,7 @@ public: case authorization::WAIT_NESTED_CONTAINER: case authorization::WAIT_STANDALONE_CONTAINER: case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG: + case authorization::VIEW_RESOURCE_PROVIDER: case authorization::UNKNOWN: { Result<vector<GenericACL>> genericACLs = createGenericACLs(action, acls); @@ -1558,6 +1562,18 @@ private: } return acls_; + case authorization::VIEW_RESOURCE_PROVIDER: + foreach ( + const ACL::ViewResourceProvider& acl, + acls.view_resource_providers()) { + GenericACL acl_; + acl_.subjects = acl.principals(); + acl_.objects = acl.resource_providers(); + + acls_.push_back(acl_); + } + + return acls_; case authorization::REGISTER_FRAMEWORK: case authorization::CREATE_VOLUME: case authorization::RESIZE_VOLUME: @@ -1747,6 +1763,13 @@ Option<Error> LocalAuthorizer::validate(const ACLs& acls) } } + foreach (const ACL::ViewResourceProvider& acl, + acls.view_resource_providers()) { + if (acl.resource_providers().type() == ACL::Entity::SOME) { + return Error("ACL.ViewResourceProvider type must be either NONE or ANY"); + } + } + // TODO(alexr): Consider validating not only protobuf, but also the original // JSON in order to spot misspelled names. A misspelled action may affect // authorization result and hence lead to a security issue (e.g. when there http://git-wip-us.apache.org/repos/asf/mesos/blob/d9a6c55e/src/tests/authorization_tests.cpp ---------------------------------------------------------------------- diff --git a/src/tests/authorization_tests.cpp b/src/tests/authorization_tests.cpp index 41ecac2..0c3e59e 100644 --- a/src/tests/authorization_tests.cpp +++ b/src/tests/authorization_tests.cpp @@ -4712,6 +4712,60 @@ TYPED_TEST(AuthorizationTest, ViewFlags) } +TYPED_TEST(AuthorizationTest, ViewResourceProvider) +{ + // Setup ACLs. + ACLs acls; + + { + // "foo" principal can view resource provider information. + mesos::ACL::ViewResourceProvider* acl = acls.add_view_resource_providers(); + acl->mutable_principals()->add_values("foo"); + acl->mutable_resource_providers()->set_type(mesos::ACL::Entity::ANY); + } + + { + // Nobody else can view resource provider information. + mesos::ACL::ViewResourceProvider* acl = acls.add_view_resource_providers(); + acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY); + acl->mutable_resource_providers()->set_type(mesos::ACL::Entity::NONE); + } + + // Create an `Authorizer` with the ACLs. + Try<Authorizer*> create = TypeParam::create(parameterize(acls)); + ASSERT_SOME(create); + Owned<Authorizer> authorizer(create.get()); + + { + authorization::Request request; + request.set_action(authorization::VIEW_RESOURCE_PROVIDER); + request.mutable_subject()->set_value("foo"); + + AWAIT_EXPECT_TRUE(authorizer->authorized(request)); + } + + { + authorization::Request request; + request.set_action(authorization::VIEW_RESOURCE_PROVIDER); + request.mutable_subject()->set_value("bar"); + AWAIT_EXPECT_FALSE(authorizer->authorized(request)); + } + + // Test that no authorizer is created with invalid ACLs. + { + ACLs invalid; + + mesos::ACL::ViewResourceProvider* acl = + invalid.add_view_resource_providers(); + acl->mutable_principals()->add_values("foo"); + acl->mutable_resource_providers()->add_values("yoda"); + + Try<Authorizer*> create = TypeParam::create(parameterize(invalid)); + EXPECT_ERROR(create); + } +} + + TYPED_TEST(AuthorizationTest, SetLogLevel) { // Setup ACLs.