Repository: mesos Updated Branches: refs/heads/master f73f29bd3 -> 8bbe70041
Changed '--executor_secret_key' agent flag to accept a path. This patch changes the agent flag '--executor_secret_key' to accept a path, so that the secret will not be leaked in logs. Review: https://reviews.apache.org/r/58327/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/0b7a4010 Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/0b7a4010 Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/0b7a4010 Branch: refs/heads/master Commit: 0b7a40102a33ab46c2794963d9a0133b9e76b880 Parents: f73f29b Author: Greg Mann <[email protected]> Authored: Thu Apr 13 15:44:19 2017 -0700 Committer: Vinod Kone <[email protected]> Committed: Thu Apr 13 15:44:19 2017 -0700 ---------------------------------------------------------------------- docs/configuration.md | 5 +++-- src/slave/flags.cpp | 5 +++-- src/slave/flags.hpp | 2 +- src/slave/slave.cpp | 24 +++++++++++++++++++++++- 4 files changed, 30 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/0b7a4010/docs/configuration.md ---------------------------------------------------------------------- diff --git a/docs/configuration.md b/docs/configuration.md index 452478e..159f946 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -1418,8 +1418,9 @@ in memory. (default: 150) --executor_secret_key=VALUE </td> <td> -The key used when generating executor secrets. This flag is only -available when Mesos is built with SSL support. +Path to a file containing the key used when generating executor +secrets. This flag is only available when Mesos is built with SSL +support. </td> </tr> <tr> http://git-wip-us.apache.org/repos/asf/mesos/blob/0b7a4010/src/slave/flags.cpp ---------------------------------------------------------------------- diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp index 9365da2..c50e43c 100644 --- a/src/slave/flags.cpp +++ b/src/slave/flags.cpp @@ -345,8 +345,9 @@ mesos::internal::slave::Flags::Flags() #ifdef USE_SSL_SOCKET add(&Flags::executor_secret_key, "executor_secret_key", - "The key used when generating executor secrets. This flag is only\n" - "available when Mesos is built with SSL support."); + "Path to a file containing the key used when generating executor\n" + "secrets. This flag is only available when Mesos is built with SSL\n" + "support."); #endif // USE_SSL_SOCKET add(&Flags::gc_delay, http://git-wip-us.apache.org/repos/asf/mesos/blob/0b7a4010/src/slave/flags.hpp ---------------------------------------------------------------------- diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp index 171f67e..c7a4604 100644 --- a/src/slave/flags.hpp +++ b/src/slave/flags.hpp @@ -79,7 +79,7 @@ public: Duration executor_registration_timeout; Duration executor_shutdown_grace_period; #ifdef USE_SSL_SOCKET - Option<std::string> executor_secret_key; + Option<Path> executor_secret_key; #endif // USE_SSL_SOCKET Duration gc_delay; double gc_disk_headroom; http://git-wip-us.apache.org/repos/asf/mesos/blob/0b7a4010/src/slave/slave.cpp ---------------------------------------------------------------------- diff --git a/src/slave/slave.cpp b/src/slave/slave.cpp index f013e9c..3ad4ce4 100644 --- a/src/slave/slave.cpp +++ b/src/slave/slave.cpp @@ -291,7 +291,29 @@ void Slave::initialize() Option<string> secretKey; #ifdef USE_SSL_SOCKET if (flags.executor_secret_key.isSome()) { - secretKey = flags.executor_secret_key.get(); + Try<string> secretKey_ = os::read(flags.executor_secret_key.get()); + + if (secretKey_.isError()) { + EXIT(EXIT_FAILURE) << "Failed to read the file specified by " + << "--executor_secret_key"; + } + + // TODO(greggomann): Factor the following code out into a common helper, + // since we also do this when loading credentials. + Try<os::Permissions> permissions = + os::permissions(flags.executor_secret_key.get()); + if (permissions.isError()) { + LOG(WARNING) << "Failed to stat executor secret key file '" + << flags.executor_secret_key.get() + << "': " << permissions.error(); + } else if (permissions.get().others.rwx) { + LOG(WARNING) << "Permissions on executor secret key file '" + << flags.executor_secret_key.get() + << "' are too open; it is recommended that your" + << " key file is NOT accessible by others"; + } + + secretKey = secretKey_.get(); secretGenerator = new JWTSecretGenerator(secretKey.get()); }
