Repository: mesos Updated Branches: refs/heads/master a9f834a91 -> 7e0074852
Disallow HTTP schedulers when authentication is required. Review: https://reviews.apache.org/r/37377 Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/7e007485 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/7e007485 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/7e007485 Branch: refs/heads/master Commit: 7e00748526edac55df80d9b3c00b99af6691ace4 Parents: a9f834a Author: Benjamin Mahler <[email protected]> Authored: Tue Aug 11 16:41:45 2015 -0700 Committer: Benjamin Mahler <[email protected]> Committed: Tue Aug 11 22:10:59 2015 -0700 ---------------------------------------------------------------------- src/master/http.cpp | 6 ++++ src/tests/http_api_tests.cpp | 76 +++++++++++++++++++++++++++++++-------- 2 files changed, 67 insertions(+), 15 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/7e007485/src/master/http.cpp ---------------------------------------------------------------------- diff --git a/src/master/http.cpp b/src/master/http.cpp index 7c65055..579c009 100644 --- a/src/master/http.cpp +++ b/src/master/http.cpp @@ -326,6 +326,12 @@ const string Master::Http::SCHEDULER_HELP = HELP( Future<Response> Master::Http::scheduler(const Request& request) const { + if (master->flags.authenticate_frameworks) { + return Unauthorized( + "Mesos master", + "HTTP schedulers are not supported when authentication is required"); + } + v1::scheduler::Call v1Call; // TODO(anand): Content type values are case-insensitive. http://git-wip-us.apache.org/repos/asf/mesos/blob/7e007485/src/tests/http_api_tests.cpp ---------------------------------------------------------------------- diff --git a/src/tests/http_api_tests.cpp b/src/tests/http_api_tests.cpp index 813c4f6..aef3c4b 100644 --- a/src/tests/http_api_tests.cpp +++ b/src/tests/http_api_tests.cpp @@ -53,6 +53,7 @@ using process::http::BadRequest; using process::http::OK; using process::http::Pipe; using process::http::Response; +using process::http::Unauthorized; using process::http::UnsupportedMediaType; using recordio::Decoder; @@ -98,13 +99,6 @@ public: return stringify(JSON::Protobuf(call)); } - - master::Flags masterFlags() - { - master::Flags flags = CreateMasterFlags(); - flags.authenticate_frameworks = false; - return flags; - } }; @@ -125,10 +119,34 @@ INSTANTIATE_TEST_CASE_P( // timeout and should succeed. +TEST_F(HttpApiTest, AuthenticationRequired) +{ + master::Flags flags = CreateMasterFlags(); + flags.authenticate_frameworks = true; + + Try<PID<Master>> master = StartMaster(flags); + ASSERT_SOME(master); + + Future<Response> response = process::http::post( + master.get(), + "api/v1/scheduler", + None(), + None()); + + AWAIT_EXPECT_RESPONSE_STATUS_EQ( + Unauthorized("Mesos master").status, + response); +} + + // TODO(anand): Add additional tests for validation. TEST_F(HttpApiTest, NoContentType) { - Try<PID<Master>> master = StartMaster(); + // HTTP schedulers cannot yet authenticate. + master::Flags flags = CreateMasterFlags(); + flags.authenticate_frameworks = false; + + Try<PID<Master>> master = StartMaster(flags); ASSERT_SOME(master); // Expect a BadRequest when 'Content-Type' is omitted. @@ -149,7 +167,11 @@ TEST_F(HttpApiTest, NoContentType) // into a valid protobuf resulting in a BadRequest. TEST_F(HttpApiTest, ValidJsonButInvalidProtobuf) { - Try<PID<Master>> master = StartMaster(); + // HTTP schedulers cannot yet authenticate. + master::Flags flags = CreateMasterFlags(); + flags.authenticate_frameworks = false; + + Try<PID<Master>> master = StartMaster(flags); ASSERT_SOME(master); JSON::Object object; @@ -173,7 +195,11 @@ TEST_F(HttpApiTest, ValidJsonButInvalidProtobuf) // into a valid protobuf resulting in a BadRequest. TEST_P(HttpApiTest, MalformedContent) { - Try<PID<Master>> master = StartMaster(); + // HTTP schedulers cannot yet authenticate. + master::Flags flags = CreateMasterFlags(); + flags.authenticate_frameworks = false; + + Try<PID<Master>> master = StartMaster(flags); ASSERT_SOME(master); const std::string body = "MALFORMED_CONTENT"; @@ -197,7 +223,11 @@ TEST_P(HttpApiTest, MalformedContent) // should result in a 415 (UnsupportedMediaType) response. TEST_P(HttpApiTest, UnsupportedContentMediaType) { - Try<PID<Master>> master = StartMaster(); + // HTTP schedulers cannot yet authenticate. + master::Flags flags = CreateMasterFlags(); + flags.authenticate_frameworks = false; + + Try<PID<Master>> master = StartMaster(flags); ASSERT_SOME(master); const std::string contentType = GetParam(); @@ -227,7 +257,11 @@ TEST_P(HttpApiTest, UnsupportedContentMediaType) // event on the stream in response to a Subscribe call request. TEST_P(HttpApiTest, Subscribe) { - Try<PID<Master>> master = StartMaster(masterFlags()); + // HTTP schedulers cannot yet authenticate. + master::Flags flags = CreateMasterFlags(); + flags.authenticate_frameworks = false; + + Try<PID<Master>> master = StartMaster(flags); ASSERT_SOME(master); Call call; @@ -276,7 +310,11 @@ TEST_P(HttpApiTest, Subscribe) // e.g. after a ZK blip. TEST_P(HttpApiTest, SubscribedOnRetryWithForce) { - Try<PID<Master>> master = StartMaster(masterFlags()); + // HTTP schedulers cannot yet authenticate. + master::Flags flags = CreateMasterFlags(); + flags.authenticate_frameworks = false; + + Try<PID<Master>> master = StartMaster(flags); ASSERT_SOME(master); Call call; @@ -359,7 +397,11 @@ TEST_P(HttpApiTest, SubscribedOnRetryWithForce) // framework to HTTP when force is set. TEST_P(HttpApiTest, UpdatePidToHttpScheduler) { - Try<PID<Master>> master = StartMaster(masterFlags()); + // HTTP schedulers cannot yet authenticate. + master::Flags flags = CreateMasterFlags(); + flags.authenticate_frameworks = false; + + Try<PID<Master>> master = StartMaster(flags); ASSERT_SOME(master); v1::FrameworkInfo frameworkInfo = DEFAULT_V1_FRAMEWORK_INFO; @@ -444,7 +486,11 @@ TEST_P(HttpApiTest, UpdatePidToHttpScheduler) // framework is already connected. TEST_P(HttpApiTest, UpdatePidToHttpSchedulerWithoutForce) { - Try<PID<Master>> master = StartMaster(masterFlags()); + // HTTP schedulers cannot yet authenticate. + master::Flags flags = CreateMasterFlags(); + flags.authenticate_frameworks = false; + + Try<PID<Master>> master = StartMaster(flags); ASSERT_SOME(master); v1::FrameworkInfo frameworkInfo = DEFAULT_V1_FRAMEWORK_INFO;
