Repository: mesos Updated Branches: refs/heads/master 7e432a930 -> 071e8cfbe
Added VIEW_STANDALONE_CONTAINER ACL. Review: https://reviews.apache.org/r/64638 Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/a814362d Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/a814362d Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/a814362d Branch: refs/heads/master Commit: a814362db5b93b6c3862abe299d80f29d23e1bbe Parents: cc6e2a1 Author: Jie Yu <[email protected]> Authored: Thu Dec 14 17:39:14 2017 -0800 Committer: Jie Yu <[email protected]> Committed: Fri Dec 15 09:32:00 2017 -0800 ---------------------------------------------------------------------- include/mesos/authorizer/acls.proto | 15 +++++++++++++++ include/mesos/authorizer/authorizer.proto | 4 ++++ src/authorizer/local/authorizer.cpp | 15 +++++++++++++++ 3 files changed, 34 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/a814362d/include/mesos/authorizer/acls.proto ---------------------------------------------------------------------- diff --git a/include/mesos/authorizer/acls.proto b/include/mesos/authorizer/acls.proto index 40a1425..5c7ed34 100644 --- a/include/mesos/authorizer/acls.proto +++ b/include/mesos/authorizer/acls.proto @@ -468,6 +468,20 @@ message ACL { required Entity users = 2; } + // Which principals are authorized to see the container metadata of a + // standalone container. + message ViewStandaloneContainer { + // Subjects: HTTP Username. + required Entity principals = 1; + + // Objects: Given implicitly. + // Use Entity type ANY or NONE to allow or deny access. + // + // TODO(jieyu): Consider allowing granular permission to act upon + // SOME particular operating system users (e.g., linux users). + required Entity users = 2; + } + // Which principals are authorized to add, update and remove resource // provider config files. message ModifyResourceProviderConfig { @@ -556,5 +570,6 @@ message ACLs { repeated ACL.KillStandaloneContainer kill_standalone_container = 42; repeated ACL.WaitStandaloneContainer wait_standalone_container = 43; repeated ACL.RemoveStandaloneContainer remove_standalone_container = 44; + repeated ACL.ViewStandaloneContainer view_standalone_containers = 46; repeated ACL.ModifyResourceProviderConfig modify_resource_provider_configs = 45; } http://git-wip-us.apache.org/repos/asf/mesos/blob/a814362d/include/mesos/authorizer/authorizer.proto ---------------------------------------------------------------------- diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto index 7db5fb3..90ffdfa 100644 --- a/include/mesos/authorizer/authorizer.proto +++ b/include/mesos/authorizer/authorizer.proto @@ -243,6 +243,10 @@ enum Action { REMOVE_STANDALONE_CONTAINER = 38; // This action will not fill in any object fields. A principal is either + // allowed to remove standalone containers or is unauthorized. + VIEW_STANDALONE_CONTAINER = 40; + + // This action will not fill in any object fields. A principal is either // allowed to add, update and remove resource provider config files or is // unauthorized. MODIFY_RESOURCE_PROVIDER_CONFIG = 39; http://git-wip-us.apache.org/repos/asf/mesos/blob/a814362d/src/authorizer/local/authorizer.cpp ---------------------------------------------------------------------- diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp index 09f2618..329f91d 100644 --- a/src/authorizer/local/authorizer.cpp +++ b/src/authorizer/local/authorizer.cpp @@ -402,6 +402,7 @@ public: case authorization::KILL_STANDALONE_CONTAINER: case authorization::WAIT_STANDALONE_CONTAINER: case authorization::REMOVE_STANDALONE_CONTAINER: + case authorization::VIEW_STANDALONE_CONTAINER: case authorization::GET_MAINTENANCE_SCHEDULE: case authorization::GET_MAINTENANCE_STATUS: case authorization::MARK_AGENT_GONE: @@ -713,6 +714,7 @@ public: case authorization::VIEW_EXECUTOR: case authorization::VIEW_FLAGS: case authorization::VIEW_FRAMEWORK: + case authorization::VIEW_STANDALONE_CONTAINER: case authorization::VIEW_TASK: case authorization::WAIT_NESTED_CONTAINER: case authorization::WAIT_STANDALONE_CONTAINER: @@ -930,6 +932,7 @@ public: case authorization::VIEW_EXECUTOR: case authorization::VIEW_FLAGS: case authorization::VIEW_FRAMEWORK: + case authorization::VIEW_STANDALONE_CONTAINER: case authorization::VIEW_TASK: case authorization::WAIT_NESTED_CONTAINER: case authorization::WAIT_STANDALONE_CONTAINER: @@ -1141,6 +1144,7 @@ public: case authorization::VIEW_EXECUTOR: case authorization::VIEW_FLAGS: case authorization::VIEW_FRAMEWORK: + case authorization::VIEW_STANDALONE_CONTAINER: case authorization::VIEW_TASK: case authorization::WAIT_NESTED_CONTAINER: case authorization::WAIT_STANDALONE_CONTAINER: @@ -1478,6 +1482,17 @@ private: } return acls_; + case authorization::VIEW_STANDALONE_CONTAINER: + foreach (const ACL::ViewStandaloneContainer& acl, + acls.view_standalone_containers()) { + GenericACL acl_; + acl_.subjects = acl.principals(); + acl_.objects = acl.users(); + + acls_.push_back(acl_); + } + + return acls_; case authorization::MODIFY_RESOURCE_PROVIDER_CONFIG: foreach (const ACL::ModifyResourceProviderConfig& acl, acls.modify_resource_provider_configs()) {
