This is an automated email from the ASF dual-hosted git repository. mzhu pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 3034d3c4c51fd4648d73bea73b419cc27de43d63 Author: Meng Zhu <[email protected]> AuthorDate: Wed Apr 24 17:04:47 2019 -0700 Added authorization for `UpdateQuota` call in the master. A new authorizable action `UPDATE_QUOTA_WITH_CONFIG` is added. This disambiguates with the old action `UPDATE_QUOTA` which are used for the old `SetQuota` and `RemoveQuota` calls. `UPDATE_QUOTA` action requires `QuotaInfo` as the object while the new `UpdatedQuota` call sets the `value` field of the object using the role associated with the quota. To keep it compatible with any external authorization modules, a new action is introduced. Review: https://reviews.apache.org/r/70549 --- include/mesos/authorizer/authorizer.proto | 15 +++++++++++++-- src/master/master.hpp | 7 +++++++ src/master/quota_handler.cpp | 27 +++++++++++++++++++++++++++ src/tests/master_authorization_tests.cpp | 1 + 4 files changed, 48 insertions(+), 2 deletions(-) diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto index e2740c4..ad40d3a 100644 --- a/include/mesos/authorizer/authorizer.proto +++ b/include/mesos/authorizer/authorizer.proto @@ -50,7 +50,7 @@ message Object { optional Task task = 3; optional TaskInfo task_info = 4; optional ExecutorInfo executor_info = 5; - optional quota.QuotaInfo quota_info = 6; + optional quota.QuotaInfo quota_info = 6 [deprecated = true]; optional WeightInfo weight_info = 7; optional Resource resource = 8; optional CommandInfo command_info = 9; @@ -136,7 +136,18 @@ enum Action { GET_QUOTA_WITH_ROLE = 11; // `UPDATE_QUOTA` will have an object with a `QuotaInfo` set. - UPDATE_QUOTA = 12; + // + // TODO(mzhu): Remove this action after associated API calls `SET_QUOTA` + // and `REMOVE_QUOTA` are no longer supported. + // + // NOTE: We cannot reuse this action for the `UPDATE_QUOTA` API call, + // because the associated `QuotaConfig` message contains more information + // than `QuotaInfo`. + UPDATE_QUOTA = 12 [deprecated = true]; + + // `UPDATE_QUOTA_WITH_CONFIG` will have an object + // with a `value` field set to the role name. + UPDATE_QUOTA_WITH_CONFIG = 50; // `VIEW_FRAMEWORK` will have an object with a `FrameworkInfo` set. VIEW_FRAMEWORK = 13; diff --git a/src/master/master.hpp b/src/master/master.hpp index 2771f4c..3504bd3 100644 --- a/src/master/master.hpp +++ b/src/master/master.hpp @@ -1265,10 +1265,17 @@ private: const Option<process::http::authentication::Principal>& principal, const mesos::quota::QuotaInfo& quotaInfo) const; + // This auth function is used for legacy `SET_QUOTA` and `REMOVE_QUOTA` + // calls. Remove this function after the associated API calls are + // no longer supported. process::Future<bool> authorizeUpdateQuota( const Option<process::http::authentication::Principal>& principal, const mesos::quota::QuotaInfo& quotaInfo) const; + process::Future<bool> authorizeUpdateQuotaConfig( + const Option<process::http::authentication::Principal>& principal, + const mesos::quota::QuotaConfig& quotaConfig) const; + process::Future<mesos::quota::QuotaStatus> _status( const Option<process::http::authentication::Principal>& principal) const; diff --git a/src/master/quota_handler.cpp b/src/master/quota_handler.cpp index a18d8ba..21176dd 100644 --- a/src/master/quota_handler.cpp +++ b/src/master/quota_handler.cpp @@ -55,6 +55,7 @@ using http::OK; using mesos::authorization::createSubject; +using mesos::quota::QuotaConfig; using mesos::quota::QuotaInfo; using mesos::quota::QuotaRequest; using mesos::quota::QuotaStatus; @@ -818,6 +819,32 @@ Future<bool> Master::QuotaHandler::authorizeUpdateQuota( return master->authorizer.get()->authorized(request); } + +Future<bool> Master::QuotaHandler::authorizeUpdateQuotaConfig( + const Option<Principal>& principal, const QuotaConfig& quotaConfig) const +{ + if (master->authorizer.isNone()) { + return true; + } + + LOG(INFO) << "Authorizing principal '" + << (principal.isSome() ? stringify(principal.get()) : "ANY") + << "' to update quota config" + << " for role '" << quotaConfig.role() << "'"; + + authorization::Request request; + request.set_action(authorization::UPDATE_QUOTA_WITH_CONFIG); + + Option<authorization::Subject> subject = createSubject(principal); + if (subject.isSome()) { + *request.mutable_subject() = std::move(*subject); + } + + *request.mutable_object()->mutable_value() = quotaConfig.role(); + + return master->authorizer.get()->authorized(request); +} + } // namespace master { } // namespace internal { } // namespace mesos { diff --git a/src/tests/master_authorization_tests.cpp b/src/tests/master_authorization_tests.cpp index ee69910..7d40695 100644 --- a/src/tests/master_authorization_tests.cpp +++ b/src/tests/master_authorization_tests.cpp @@ -2969,6 +2969,7 @@ public: case authorization::UPDATE_WEIGHT: case authorization::GET_QUOTA: case authorization::UPDATE_QUOTA: + case authorization::UPDATE_QUOTA_WITH_CONFIG: case authorization::VIEW_FRAMEWORK: case authorization::VIEW_TASK: case authorization::VIEW_EXECUTOR:
