Added: mesos/site/source/documentation/latest/authentication.md URL: http://svn.apache.org/viewvc/mesos/site/source/documentation/latest/authentication.md?rev=1695820&view=auto ============================================================================== --- mesos/site/source/documentation/latest/authentication.md (added) +++ mesos/site/source/documentation/latest/authentication.md Fri Aug 14 06:03:28 2015 @@ -0,0 +1,56 @@ +--- +layout: documentation +--- + +# Authentication + +Mesos 0.15.0 added support for framework authentication, and 0.19.0 added slave authentication. Authentication permits only trusted entities to interact with the Mesos cluster. + +Authentication is used by Mesos in three ways: + +1. Require that frameworks must be authenticated in order to register with the master. +2. Require that slaves must be authenticated in order to offer resources to the master. +3. To restrict access to the /teardown endpoint. + +## How Does It Work? + +Mesos uses the [Cyrus SASL library](http://asg.web.cmu.edu/sasl/) to implement authentication. SASL is a very flexible authentication framework that allows two endpoints to authenticate with each other and also has support for various authentication mechanisms (ANONYMOUS, PLAIN, CRAM-MD5, GSSAPI etc). Currently, Mesos provides support for CRAM-MD5 authentication, but users can provide their own authentication modules. CRAM-MD5 makes use of a **principal** and **secret** pair, with the principal representing the framework's identity. Note that this is different from the framework *user*, which is the account used by the executor to run tasks, and the *role* which is used to determine what resources frameworks can use. + +## Configuration + +The [configuration options](http://mesos.apache.org/documentation/latest/configuration/) that are used by the authentication mechanism are as follows: + +### Masters + +* --[no-]authenticate - If authenticate is 'true' only authenticated frameworks are allowed to register. If 'false' unauthenticated frameworks are also allowed to register. +* --[no-]authenticate_slaves - If 'true' only authenticated slaves are allowed to register. If 'false' unauthenticated slaves are also allowed to register. +* --authenticators - Specifies which authenticator module to use. The default is crammd5, but additional modules can be added with the --modules option. +* --credentials - The path to the text file which contains a list (either plain text or JSON) of accepted credentials. This may be optional depending on the authenticator being used. However, if specified, the credentials will be valid for the /teardown endpoint regardless of which authenticator is used. + +### Slaves + +* --authenticatee - Analog to the master --authenticators option to specify what module to use. Defaults to crammd5. +* --credential - Just like the master --credentials option, except only one credential is allowed, since this credential is used to identify the slave to the master. + +## CRAM-MD5 Example + +1. First, create a credentials file for the masters, the contents of which should look like this: + + principal1 secret1 + principal2 secret2 + +2. Now, start the master process using your credentials file (assuming the file is ~/credentials): + + ./bin/mesos-master.sh --ip=127.0.0.1 --work_dir=/var/lib/mesos --authenticate --authenticate_slaves --credentials=~/credentials + +3. Now create another file with a single credential in it (~/slave_credential): + + principal1 secret1 + +4. That file will be used to identify the slave process. Start the slave: + + ./bin/mesos-slave.sh --master=127.0.0.1:5050 --credential=~/slave_credential + +5. Your new slave should have now successfully authenticated with the master. With these settings, any framework that you'd like to use must also authenticate against the Mesos master. The method of configuring framework authentication may vary by framework, but is simple to implement as the scheduler driver will handle authentication when a Credential object is passed to its constructor. You can test out framework authentication using the test framework provided with Mesos as follows: + + MESOS_AUTHENTICATE=true DEFAULT_PRINCIPAL=principal2 DEFAULT_SECRET=secret2 ./src/test-framework --master=127.0.0.1:5050
Modified: mesos/site/source/documentation/latest/clang-format.md URL: http://svn.apache.org/viewvc/mesos/site/source/documentation/latest/clang-format.md?rev=1695820&r1=1695819&r2=1695820&view=diff ============================================================================== --- mesos/site/source/documentation/latest/clang-format.md (original) +++ mesos/site/source/documentation/latest/clang-format.md Fri Aug 14 06:03:28 2015 @@ -88,10 +88,6 @@ This binds the function `clang-format-re ## Known Limitations -* The braces after `namespace`s should not be wrapped. -* The braces after `struct`s and `union`s should be wrapped. * Parameters and arguments should be indented by 4 spaces rather than 2. -* Overloaded operators should be padded with spaces. - (e.g. `Foo operator + (...);`) * Should not follow Google's style of wrapping on open parentheses, we should try to reduce "jaggedness" in the code. Modified: mesos/site/source/documentation/latest/configuration.md URL: http://svn.apache.org/viewvc/mesos/site/source/documentation/latest/configuration.md?rev=1695820&r1=1695819&r2=1695820&view=diff ============================================================================== --- mesos/site/source/documentation/latest/configuration.md (original) +++ mesos/site/source/documentation/latest/configuration.md Fri Aug 14 06:03:28 2015 @@ -171,6 +171,25 @@ If you have special compilation requirem Explanation </th> </thead> + <tr> + <td> + --advertise_ip=VALUE + </td> + <td> + IP address advertised to reach mesos master. Mesos master does not bind using this + IP address. However, this IP address may be used to access Mesos master. + </td> + </tr> + <tr> + <td> + --advertise_port=VALUE + </td> + <td> + Port advertised to reach mesos master (alongwith advertise_ip). Mesos master does not + bind using this port. However, this port (alongwith advertise_ip) may be used to + access Mesos master. + </td> + </tr> <tr> <td> --quorum=VALUE @@ -307,6 +326,23 @@ file:///path/to/file (where file contain </td> </tr> <tr> + <td> + --authorizers=VALUE + </td> + <td> + Authorizer implementation to use when authorizating actions that + required it. Use the default <code>local</code>, or load an alternate + authorizer module using <code>--modules</code>. + <br/> + Note that if the flag <code>--authorizers</code> is provided with a + value different than the default <code>local</code>, the ACLs passed + through the <code>--acls</code> flag will be ignored. + <br/> + Currently there's no support for multiple authorizers.<br/> + (default: <code>local</code>) + </td> + </tr> + <tr> <td> --cluster=VALUE </td> Modified: mesos/site/source/documentation/latest/mesos-c++-style-guide.md URL: http://svn.apache.org/viewvc/mesos/site/source/documentation/latest/mesos-c%2B%2B-style-guide.md?rev=1695820&r1=1695819&r2=1695820&view=diff ============================================================================== --- mesos/site/source/documentation/latest/mesos-c++-style-guide.md (original) +++ mesos/site/source/documentation/latest/mesos-c++-style-guide.md Fri Aug 14 06:03:28 2015 @@ -37,7 +37,6 @@ void Slave::statusUpdate(StatusUpdate up ### Function Names * We use [lowerCamelCase](http://en.wikipedia.org/wiki/CamelCase#Variations_and_synonyms) for function names (Google uses mixed case for regular functions; and their accessors and mutators match the name of the variable). -* Leave spaces around overloaded operators, e.g. `operator + (...);` rather than `operator+(...);` ### Namespace Names * We do not use namespace aliases. @@ -51,7 +50,7 @@ void Slave::statusUpdate(StatusUpdate up * For trailing comments, leave one space. ## Breaks -* Break before braces on function, class, struct and union definitions. (Google attaches braces to the surrounding context) +* Break before braces on enum, function, and record (i.e. struct, class, union) definitions. ## Indentation @@ -535,8 +534,9 @@ auto lambda = [ `constexpr` behaves as a combination of `inline` and `const` and hence must be defined before use in another `constexpr`. - Prefer `constexpr to `const` for all constant POD declarations, `constexpr` `char` arrays are preferred to `const` `string` literals. - ``` + Prefer `constexpr` to `const` for all constant POD declarations, `constexpr` `char` arrays are preferred to `const` `string` literals. + +~~~{.cpp} // OK constexpr char LITERAL[] = "value"; @@ -547,18 +547,20 @@ auto lambda = [ // Not OK - uncertain initialization order, cannot be used in other // constexpr statements. const string LITERAL("value"); +~~~ - ``` `constexpr` functions are evaluated at compile time if all their arguments are constant expressions. Otherwise they default to initialization at runtime. However `constexpr` functions are limited in that they cannot perform dynamic casts, memory allocation or calls to non-constexpr functions. Prefer `constexpr` over const inline functions. - ``` +~~~{.cpp} constexpr size_t MIN = 200; constexpr size_t MAX = 1000; constexpr size_t SPAN() { return MAX-MIN; } int array[SPAN()]; - ``` - Const expression constructors allow object initialization at compile time provided that all the constructor arguments are constexpr and the constuctor body is empty, i.e. all initialization is performed in the initialization list. Classes which provide constexpr constructors should normally also provide constexpr copy constructors to allow the class to be used in the return value from a constexpr function. - ``` +~~~ + +Const expression constructors allow object initialization at compile time provided that all the constructor arguments are `constexpr` and the constuctor body is empty, i.e. all initialization is performed in the initialization list. Classes which provide `constexpr` constructors should normally also provide `constexpr` copy constructors to allow the class to be used in the return value from a `constexpr` function. + +~~~{.cpp} class C { public: @@ -567,6 +569,6 @@ auto lambda = [ private: const int i; }; +~~~ - ``` - C++11 does not provide constexpr string or containers in the STL and hence constexpr cannot be used for any class using stout's Error() class. + C++11 does not provide `constexpr string` or `constexpr` containers in the STL and hence `constexpr` cannot be used for any class using stout's Error() class. Modified: mesos/site/source/documentation/latest/operational-guide.md URL: http://svn.apache.org/viewvc/mesos/site/source/documentation/latest/operational-guide.md?rev=1695820&r1=1695819&r2=1695820&view=diff ============================================================================== --- mesos/site/source/documentation/latest/operational-guide.md (original) +++ mesos/site/source/documentation/latest/operational-guide.md Fri Aug 14 06:03:28 2015 @@ -51,3 +51,6 @@ To decrease the quorum by N, repeat this ### Replacing a master Please see the NOTE section above. So long as the failed master is guaranteed to not re-join the ensemble, it is safe to start a new master _with an empty log_ and allow it to catch up. + +## External access for mesos master +If the default ip (or the command line arg `--ip`) points to an internal IP, then external entities such as framework scheduler would not be able to reach the master. To address that scenario, an externally accessible IP:port can be setup via the `--advertise_ip` and `--advertise_port` command line arguments of mesos master. If configured, external entities such as framework scheduler interact with the advertise_ip:advertise_port from where the request needs to be proxied to the internal IP:Port on which mesos master is listening. Modified: mesos/site/source/documentation/latest/powered-by-mesos.md URL: http://svn.apache.org/viewvc/mesos/site/source/documentation/latest/powered-by-mesos.md?rev=1695820&r1=1695819&r2=1695820&view=diff ============================================================================== --- mesos/site/source/documentation/latest/powered-by-mesos.md (original) +++ mesos/site/source/documentation/latest/powered-by-mesos.md Fri Aug 14 06:03:28 2015 @@ -18,6 +18,7 @@ layout: documentation * [Branding Brand](http://www.brandingbrand.com) * [Brigade](http://www.brigade.com) * [Categorize](http://categorize.co) +* [CERN](http://cern.ch) * [Cisco](http://www.cisco.com) * [CloudPhysics](http://cloudphysics.com) * [Conviva](http://www.conviva.com) @@ -39,6 +40,7 @@ layout: documentation * [iQIYI](http://www.iqiyi.com/) * [Learnium](http://www.learnium.net/) * [LIFX](http://lifx.co) +* [Linkernetworks](http://www.linkernetworks.com) * [Localsensor](http://www.localsensor.com) * [Magine TV](https://magine.com) * [Medallia](http://www.medallia.com) @@ -82,6 +84,7 @@ layout: documentation * [Yelp](http://www.yelp.com) * [Yieldbot](http://www.yieldbot.com) * [Yodle](http://www.yodle.com) +* [Xiaomi](http://www.xiaomi.com) * [Xogito](http://www.xogito.com) ## Software projects built on Mesos
