Updated "teardown_framework" requests in the authorizer. Review: https://reviews.apache.org/r/41932/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/0fa84b6f Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/0fa84b6f Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/0fa84b6f Branch: refs/heads/master Commit: 0fa84b6f14707951e1bfef4e4d1f141898813388 Parents: d0a5cd6 Author: Guangya Liu <[email protected]> Authored: Thu Jan 21 01:26:52 2016 -0800 Committer: Adam B <[email protected]> Committed: Thu Jan 21 01:29:11 2016 -0800 ---------------------------------------------------------------------- src/authorizer/local/authorizer.cpp | 14 +++++++++ src/tests/teardown_tests.cpp | 50 ++++++++++++++++++++++++++++++++ 2 files changed, 64 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/0fa84b6f/src/authorizer/local/authorizer.cpp ---------------------------------------------------------------------- diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp index c1db9c2..9557bbd 100644 --- a/src/authorizer/local/authorizer.cpp +++ b/src/authorizer/local/authorizer.cpp @@ -74,6 +74,8 @@ public: Future<bool> authorize(const ACL::ShutdownFramework& request) { + // TODO(gyliu513): Remove this shutdown_frameworks acl logic at the + // end of the deprecation cycle on 0.27. foreach (const ACL::ShutdownFramework& acl, acls.shutdown_frameworks()) { // ACL matches if both subjects and objects match. if (matches(request.principals(), acl.principals()) && @@ -86,6 +88,18 @@ public: } } + foreach (const ACL::TeardownFramework& acl, acls.teardown_frameworks()) { + // ACL matches if both subjects and objects match. + if (matches(request.principals(), acl.principals()) && + matches(request.framework_principals(), + acl.framework_principals())) { + // ACL is allowed if both subjects and objects are allowed. + return allows(request.principals(), acl.principals()) && + allows(request.framework_principals(), + acl.framework_principals()); + } + } + return acls.permissive(); // None of the ACLs match. } http://git-wip-us.apache.org/repos/asf/mesos/blob/0fa84b6f/src/tests/teardown_tests.cpp ---------------------------------------------------------------------- diff --git a/src/tests/teardown_tests.cpp b/src/tests/teardown_tests.cpp index d979e07..5753559 100644 --- a/src/tests/teardown_tests.cpp +++ b/src/tests/teardown_tests.cpp @@ -142,6 +142,56 @@ TEST_F(TeardownTest, TeardownEndpointGoodACLs) // Setup ACLs so that the default principal can teardown the // framework. ACLs acls; + mesos::ACL::TeardownFramework* acl = acls.add_teardown_frameworks(); + acl->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal()); + acl->mutable_framework_principals()->add_values( + DEFAULT_CREDENTIAL.principal()); + + master::Flags flags = CreateMasterFlags(); + flags.acls = acls; + Try<PID<Master> > master = StartMaster(flags); + ASSERT_SOME(master); + + MockScheduler sched; + MesosSchedulerDriver driver( + &sched, DEFAULT_FRAMEWORK_INFO, master.get(), DEFAULT_CREDENTIAL); + + Future<FrameworkID> frameworkId; + EXPECT_CALL(sched, registered(&driver, _, _)) + .WillOnce(FutureArg<1>(&frameworkId)); + + ASSERT_EQ(DRIVER_RUNNING, driver.start()); + + AWAIT_READY(frameworkId); + + process::http::Headers headers; + headers["Authorization"] = "Basic " + + base64::encode(DEFAULT_CREDENTIAL.principal() + + ":" + DEFAULT_CREDENTIAL.secret()); + + Future<Response> response = process::http::post( + master.get(), + "teardown", + headers, + "frameworkId=" + frameworkId.get().value()); + + AWAIT_READY(response); + AWAIT_EXPECT_RESPONSE_STATUS_EQ(OK().status, response); + + driver.stop(); + driver.join(); + + Shutdown(); +} + + +// Testing route with deprecated (but still good) ACLs. +// This ACL/test will be removed at the end of the deprecation cycle on 0.27. +TEST_F(TeardownTest, TeardownEndpointGoodDeprecatedACLs) +{ + // Setup ACLs so that the default principal can teardown the + // framework. + ACLs acls; mesos::ACL::ShutdownFramework* acl = acls.add_shutdown_frameworks(); acl->mutable_principals()->add_values(DEFAULT_CREDENTIAL.principal()); acl->mutable_framework_principals()->add_values(
