Enabled authorization of libprocess HTTP endpoints (Mesos). Code is added to the common headers and the master/agent executables which sets authorization callbacks for libprocess-level HTTP endpoints. This allows these endpoints to be authorized.
Review: https://reviews.apache.org/r/46867/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/d0b0ca63 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/d0b0ca63 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/d0b0ca63 Branch: refs/heads/master Commit: d0b0ca638ec033b62da8f86cba9e42a955916eb4 Parents: 25376d8 Author: Greg Mann <[email protected]> Authored: Wed May 11 22:45:37 2016 -0400 Committer: Kapil Arya <[email protected]> Committed: Thu May 12 01:50:20 2016 -0400 ---------------------------------------------------------------------- src/common/http.cpp | 16 ++++++++++++++++ src/common/http.hpp | 8 ++++++++ src/master/main.cpp | 9 +++++++++ src/slave/main.cpp | 9 +++++++++ 4 files changed, 42 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/d0b0ca63/src/common/http.cpp ---------------------------------------------------------------------- diff --git a/src/common/http.cpp b/src/common/http.cpp index ccf3868..e44d1a2 100644 --- a/src/common/http.cpp +++ b/src/common/http.cpp @@ -25,6 +25,13 @@ #include <mesos/http.hpp> #include <mesos/resources.hpp> +#include <mesos/authorizer/authorizer.hpp> + +#include <process/dispatch.hpp> +#include <process/future.hpp> +#include <process/http.hpp> +#include <process/pid.hpp> + #include <stout/foreach.hpp> #include <stout/protobuf.hpp> #include <stout/stringify.hpp> @@ -40,6 +47,8 @@ using std::set; using std::string; using std::vector; +using process::http::authorization::AuthorizationCallbacks; + namespace mesos { ostream& operator<<(ostream& stream, ContentType contentType) @@ -574,4 +583,11 @@ static void json(JSON::StringWriter* writer, const Value::Text& text) writer->append(text.value()); } + +const AuthorizationCallbacks createAuthorizationCallbacks( + Authorizer* authorizer) +{ + return AuthorizationCallbacks(); +} + } // namespace mesos { http://git-wip-us.apache.org/repos/asf/mesos/blob/d0b0ca63/src/common/http.hpp ---------------------------------------------------------------------- diff --git a/src/common/http.hpp b/src/common/http.hpp index 6c6f284..0029465 100644 --- a/src/common/http.hpp +++ b/src/common/http.hpp @@ -22,6 +22,11 @@ #include <mesos/http.hpp> #include <mesos/mesos.hpp> +#include <mesos/authorizer/authorizer.hpp> + +#include <process/future.hpp> +#include <process/http.hpp> + #include <stout/hashmap.hpp> #include <stout/json.hpp> #include <stout/jsonify.hpp> @@ -92,6 +97,9 @@ void json(JSON::ArrayWriter* writer, const Labels& labels); void json(JSON::ObjectWriter* writer, const Resources& resources); void json(JSON::ObjectWriter* writer, const TaskStatus& status); +const process::http::authorization::AuthorizationCallbacks + createAuthorizationCallbacks(Authorizer* authorizer); + } // namespace mesos { #endif // __COMMON_HTTP_HPP__ http://git-wip-us.apache.org/repos/asf/mesos/blob/d0b0ca63/src/master/main.cpp ---------------------------------------------------------------------- diff --git a/src/master/main.cpp b/src/master/main.cpp index 23149d5..2d1bd55 100644 --- a/src/master/main.cpp +++ b/src/master/main.cpp @@ -57,6 +57,7 @@ #include <stout/try.hpp> #include "common/build.hpp" +#include "common/http.hpp" #include "common/protobuf_utils.hpp" #include "hook/manager.hpp" @@ -424,6 +425,14 @@ int main(int argc, char** argv) << "' authorizer: " << authorizer.error(); } else if (authorizer.isSome()) { authorizer_ = authorizer.get(); + + // Set the authorization callbacks for libprocess HTTP endpoints. + // Note that these callbacks capture `authorizer_.get()`, but the master + // creates a copy of the authorizer during construction. Thus, if in the + // future it becomes possible to dynamically set the authorizer, this would + // break. + process::http::authorization::setCallbacks( + createAuthorizationCallbacks(authorizer_.get())); } Option<shared_ptr<RateLimiter>> slaveRemovalLimiter = None(); http://git-wip-us.apache.org/repos/asf/mesos/blob/d0b0ca63/src/slave/main.cpp ---------------------------------------------------------------------- diff --git a/src/slave/main.cpp b/src/slave/main.cpp index fee46ba..66aea8c 100644 --- a/src/slave/main.cpp +++ b/src/slave/main.cpp @@ -40,6 +40,7 @@ #include <stout/try.hpp> #include "common/build.hpp" +#include "common/http.hpp" #include "hook/manager.hpp" @@ -314,6 +315,14 @@ int main(int argc, char** argv) << "' authorizer: " << authorizer.error(); } else if (authorizer.isSome()) { authorizer_ = authorizer.get(); + + // Set the authorization callbacks for libprocess HTTP endpoints. + // Note that these callbacks capture `authorizer_.get()`, but the agent + // creates a copy of the authorizer during construction. Thus, if in the + // future it becomes possible to dynamically set the authorizer, this would + // break. + process::http::authorization::setCallbacks( + createAuthorizationCallbacks(authorizer_.get())); } if (flags.firewall_rules.isSome()) {
