Repository: mesos Updated Branches: refs/heads/master d472be0ff -> 092fb5e3e
Added authorization support for HTTP based schedulers. Review: https://reviews.apache.org/r/37304 Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/092fb5e3 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/092fb5e3 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/092fb5e3 Branch: refs/heads/master Commit: 092fb5e3e0abd04408f75eb2ca905b4e72d9310d Parents: d472be0 Author: Anand Mazumdar <[email protected]> Authored: Tue Aug 11 12:28:07 2015 -0700 Committer: Vinod Kone <[email protected]> Committed: Tue Aug 11 12:46:46 2015 -0700 ---------------------------------------------------------------------- 3rdparty/libprocess/src/encoder.hpp | 2 ++ src/master/master.cpp | 49 +++++++++++++++++++++++++++++--- src/master/master.hpp | 3 +- 3 files changed, 49 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/092fb5e3/3rdparty/libprocess/src/encoder.hpp ---------------------------------------------------------------------- diff --git a/3rdparty/libprocess/src/encoder.hpp b/3rdparty/libprocess/src/encoder.hpp index 4c5324e..ee5baaa 100644 --- a/3rdparty/libprocess/src/encoder.hpp +++ b/3rdparty/libprocess/src/encoder.hpp @@ -152,6 +152,8 @@ public: } } + VLOG(1) << out.str(); + return out.str(); } http://git-wip-us.apache.org/repos/asf/mesos/blob/092fb5e3/src/master/master.cpp ---------------------------------------------------------------------- diff --git a/src/master/master.cpp b/src/master/master.cpp index 08dd34d..163f4d6 100644 --- a/src/master/master.cpp +++ b/src/master/master.cpp @@ -1824,17 +1824,52 @@ void Master::subscribe( return; } - // TODO(anand): Authorize the framework. - this->_subscribe(http, subscribe); + // Need to disambiguate for the compiler. + void (Master::*_subscribe)( + HttpConnection, + const scheduler::Call::Subscribe&, + const Future<bool>&) = &Self::_subscribe; + + authorizeFramework(frameworkInfo) + .onAny(defer(self(), + _subscribe, + http, + subscribe, + lambda::_1)); } void Master::_subscribe( HttpConnection http, - const scheduler::Call::Subscribe& subscribe) + const scheduler::Call::Subscribe& subscribe, + const Future<bool>& authorized) { const FrameworkInfo& frameworkInfo = subscribe.framework_info(); + CHECK(!authorized.isDiscarded()); + + Option<Error> authorizationError = None(); + + if (authorized.isFailed()) { + authorizationError = + Error("Authorization failure: " + authorized.failure()); + } else if (!authorized.get()) { + authorizationError = + Error("Not authorized to use role '" + frameworkInfo.role() + "'"); + } + + if (authorizationError.isSome()) { + LOG(INFO) << "Refusing subscription of framework" + << " '" << frameworkInfo.name() << "'" + << ": " << authorizationError.get().message; + + FrameworkErrorMessage message; + message.set_message(authorizationError.get().message); + http.send(message); + http.close(); + return; + } + LOG(INFO) << "Subscribing framework '" << frameworkInfo.name() << "' with checkpointing " << (frameworkInfo.checkpoint() ? "enabled" : "disabled") @@ -2056,9 +2091,15 @@ void Master::subscribe( << " does not set 'principal' in FrameworkInfo"; } + // Need to disambiguate for the compiler. + void (Master::*_subscribe)( + const UPID&, + const scheduler::Call::Subscribe&, + const Future<bool>&) = &Self::_subscribe; + authorizeFramework(frameworkInfo) .onAny(defer(self(), - &Master::_subscribe, + _subscribe, from, subscribe, lambda::_1)); http://git-wip-us.apache.org/repos/asf/mesos/blob/092fb5e3/src/master/master.hpp ---------------------------------------------------------------------- diff --git a/src/master/master.hpp b/src/master/master.hpp index 10cc100..6bd05b1 100644 --- a/src/master/master.hpp +++ b/src/master/master.hpp @@ -717,7 +717,8 @@ private: void _subscribe( HttpConnection http, - const scheduler::Call::Subscribe& subscribe); + const scheduler::Call::Subscribe& subscribe, + const process::Future<bool>& authorized); void subscribe( const process::UPID& from,
