Enabled authentication on the V1 executor API. This patch updates the `v1/executor` endpoint on the agent to route through the correct authentication realm, so that the agent may require authentication on the executor API.
Review: https://reviews.apache.org/r/57670/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/3e62a134 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/3e62a134 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/3e62a134 Branch: refs/heads/master Commit: 3e62a134210f1ea3f5de8b02f761d2e50898b70d Parents: ede7944 Author: Greg Mann <[email protected]> Authored: Fri Mar 24 10:00:59 2017 -0700 Committer: Anand Mazumdar <[email protected]> Committed: Fri Mar 24 10:01:33 2017 -0700 ---------------------------------------------------------------------- src/slave/constants.hpp | 3 +++ src/slave/http.cpp | 4 +++- src/slave/slave.cpp | 6 ++++-- src/slave/slave.hpp | 4 +++- 4 files changed, 13 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/3e62a134/src/slave/constants.hpp ---------------------------------------------------------------------- diff --git a/src/slave/constants.hpp b/src/slave/constants.hpp index 1f3c543..ef978d6 100644 --- a/src/slave/constants.hpp +++ b/src/slave/constants.hpp @@ -142,6 +142,9 @@ constexpr char READONLY_HTTP_AUTHENTICATION_REALM[] = "mesos-agent-readonly"; // Name of the agent HTTP authentication realm for read-write endpoints. constexpr char READWRITE_HTTP_AUTHENTICATION_REALM[] = "mesos-agent-readwrite"; +// Name of the agent HTTP authentication realm for HTTP executors. +constexpr char EXECUTOR_HTTP_AUTHENTICATION_REALM[] = "mesos-agent-executor"; + // Default maximum storage space to be used by the fetcher cache. constexpr Bytes DEFAULT_FETCHER_CACHE_SIZE = Gigabytes(2); http://git-wip-us.apache.org/repos/asf/mesos/blob/3e62a134/src/slave/http.cpp ---------------------------------------------------------------------- diff --git a/src/slave/http.cpp b/src/slave/http.cpp index 1ab6f94..e253ce9 100644 --- a/src/slave/http.cpp +++ b/src/slave/http.cpp @@ -635,7 +635,9 @@ string Slave::Http::EXECUTOR_HELP() { } -Future<Response> Slave::Http::executor(const Request& request) const +Future<Response> Slave::Http::executor( + const Request& request, + const Option<Principal>& principal) const { if (!slave->recoveryInfo.reconnect) { CHECK(slave->state == RECOVERING); http://git-wip-us.apache.org/repos/asf/mesos/blob/3e62a134/src/slave/slave.cpp ---------------------------------------------------------------------- diff --git a/src/slave/slave.cpp b/src/slave/slave.cpp index c6ee4fa..3acb29d 100644 --- a/src/slave/slave.cpp +++ b/src/slave/slave.cpp @@ -565,10 +565,12 @@ void Slave::initialize() options); route("/api/v1/executor", + EXECUTOR_HTTP_AUTHENTICATION_REALM, Http::EXECUTOR_HELP(), - [this](const process::http::Request& request) { + [this](const process::http::Request& request, + const Option<Principal>& principal) { Http::log(request); - return http.executor(request); + return http.executor(request, principal); }); // TODO(ijimenez): Remove this endpoint at the end of the http://git-wip-us.apache.org/repos/asf/mesos/blob/3e62a134/src/slave/slave.hpp ---------------------------------------------------------------------- diff --git a/src/slave/slave.hpp b/src/slave/slave.hpp index f365a53..7ab646e 100644 --- a/src/slave/slave.hpp +++ b/src/slave/slave.hpp @@ -503,7 +503,9 @@ private: // /api/v1/executor process::Future<process::http::Response> executor( - const process::http::Request& request) const; + const process::http::Request& request, + const Option<process::http::authentication::Principal>& + principal) const; // /slave/flags process::Future<process::http::Response> flags(
