Added the '--authenticate_http_executors' agent flag. This patch adds a new agent flag, `--authenticate_http_executors`, which requires authentication on the V1 executor API and loads the default JWT authenticator.
Review: https://reviews.apache.org/r/57666/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/ede79444 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/ede79444 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/ede79444 Branch: refs/heads/master Commit: ede794446284c5a68dd0ca205e0fee12edfa501c Parents: faf0c08 Author: Greg Mann <[email protected]> Authored: Fri Mar 24 10:00:50 2017 -0700 Committer: Anand Mazumdar <[email protected]> Committed: Fri Mar 24 10:01:33 2017 -0700 ---------------------------------------------------------------------- docs/configuration.md | 14 ++++++++++++-- src/slave/flags.cpp | 13 ++++++++++--- src/slave/flags.hpp | 3 +++ 3 files changed, 25 insertions(+), 5 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/ede79444/docs/configuration.md ---------------------------------------------------------------------- diff --git a/docs/configuration.md b/docs/configuration.md index 2e9b829..6f1675f 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -127,8 +127,7 @@ HTTP authenticator implementation to use when handling requests to authenticated endpoints. Use the default <code>basic</code>, or load an alternate HTTP authenticator module using <code>--modules</code>. -<p/> -Currently there is no support for multiple HTTP authenticators. (default: basic) +(default: basic, or basic and JWT if executor authentication is enabled) </td> </tr> <tr> @@ -1050,6 +1049,17 @@ Attributes of the agent machine, in the form: </tr> <tr> <td> + --[no-]authenticate_http_executors + </td> + <td> +If <code>true</code>, only authenticated requests for the HTTP executor API are +allowed. If <code>false</code>, unauthenticated requests are also allowed. This +flag is only available when Mesos is built with SSL support. +(default: false) + </td> +</tr> +<tr> + <td> --authenticatee=VALUE </td> <td> http://git-wip-us.apache.org/repos/asf/mesos/blob/ede79444/src/slave/flags.cpp ---------------------------------------------------------------------- diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp index 3c3cbe0..8d2e2e3 100644 --- a/src/slave/flags.cpp +++ b/src/slave/flags.cpp @@ -877,9 +877,7 @@ mesos::internal::slave::Flags::Flags() "HTTP authenticator implementation to use when handling requests to\n" "authenticated endpoints. Use the default\n" "`" + string(DEFAULT_BASIC_HTTP_AUTHENTICATOR) + "`, or load an\n" - "alternate HTTP authenticator module using `--modules`.\n" - "\n" - "Currently there is no support for multiple HTTP authenticators.", + "alternate HTTP authenticator module using `--modules`.", DEFAULT_BASIC_HTTP_AUTHENTICATOR); add(&Flags::authenticate_http_readwrite, @@ -896,6 +894,15 @@ mesos::internal::slave::Flags::Flags() "requests to such HTTP endpoints are also allowed.", false); +#ifdef USE_SSL_SOCKET + add(&Flags::authenticate_http_executors, + "authenticate_http_executors", + "If `true`, only authenticated requests for the HTTP executor API are\n" + "allowed. If `false`, unauthenticated requests are also allowed. This\n" + "flag is only available when Mesos is built with SSL support.", + false); +#endif // USE_SSL_SOCKET + add(&Flags::http_credentials, "http_credentials", "Path to a JSON-formatted file containing credentials used to\n" http://git-wip-us.apache.org/repos/asf/mesos/blob/ede79444/src/slave/flags.hpp ---------------------------------------------------------------------- diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp index fec0354..2d982f9 100644 --- a/src/slave/flags.hpp +++ b/src/slave/flags.hpp @@ -147,6 +147,9 @@ public: std::string http_authenticators; bool authenticate_http_readonly; bool authenticate_http_readwrite; +#ifdef USE_SSL_SOCKET + bool authenticate_http_executors; +#endif // USE_SSL_SOCKET Option<Path> http_credentials; Option<std::string> hooks; Option<std::string> resource_estimator;
