This is an automated email from the ASF dual-hosted git repository.
bmahler pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
The following commit(s) were added to refs/heads/master by this push:
new d94d047 Moved creating authorization Object out of
Master::authorizeFramework.
d94d047 is described below
commit d94d047c4b25b8b1e8fdf1a547e62fc6e4fbf53a
Author: Andrei Sekretenko <[email protected]>
AuthorDate: Mon Jan 6 13:46:34 2020 -0500
Moved creating authorization Object out of Master::authorizeFramework.
Review: https://reviews.apache.org/r/71860/
---
src/master/authorization.cpp | 41 +++++++++++++++++++++++++++++++++++++----
src/master/authorization.hpp | 5 +++++
src/master/master.cpp | 36 +++++-------------------------------
3 files changed, 47 insertions(+), 35 deletions(-)
diff --git a/src/master/authorization.cpp b/src/master/authorization.cpp
index eabeb41..9fde2ad 100644
--- a/src/master/authorization.cpp
+++ b/src/master/authorization.cpp
@@ -38,6 +38,29 @@ ActionObject ActionObject::taskLaunch(
}
+ActionObject ActionObject::frameworkRegistration(
+ const FrameworkInfo& frameworkInfo)
+{
+ Object object;
+ *object.mutable_framework_info() = frameworkInfo;
+
+ // For non-`MULTI_ROLE` frameworks, also propagate its single role
+ // via the request's `value` field. This is purely for backwards
+ // compatibility as the `value` field is deprecated. Note that this
+ // means that authorizers relying on the deprecated field will see
+ // an empty string in `value` for `MULTI_ROLE` frameworks.
+ //
+ // TODO(bbannier): Remove this at the end of `value`'s deprecation
+ // cycle, see MESOS-7073.
+ if (!::mesos::internal::protobuf::frameworkHasCapability(
+ frameworkInfo, FrameworkInfo::Capability::MULTI_ROLE)) {
+ object.set_value(frameworkInfo.role());
+ }
+
+ return ActionObject(authorization::REGISTER_FRAMEWORK, std::move(object));
+}
+
+
ostream& operator<<(ostream& stream, const ActionObject& actionObject)
{
const Option<Object>& object = actionObject.object();
@@ -49,14 +72,24 @@ ostream& operator<<(ostream& stream, const ActionObject&
actionObject)
switch (actionObject.action()) {
case authorization::RUN_TASK:
- return stream << "launch task " << object->task_info().task_id()
- << " of framework " << object->framework_info().id();
+ return stream
+ << "launch task " << object->task_info().task_id()
+ << " of framework " << object->framework_info().id();
+
+ case authorization::REGISTER_FRAMEWORK:
+ return stream
+ << "register framework " << object->framework_info().id()
+ << " with roles "
+ << stringify(::mesos::internal::protobuf::framework::getRoles(
+ object->framework_info()));
+
default:
break;
}
- return stream << "perform action " << Action_Name(actionObject.action())
- << " on object " << jsonify(JSON::Protobuf(*object));
+ return stream
+ << "perform action " << Action_Name(actionObject.action())
+ << " on object " << jsonify(JSON::Protobuf(*object));
}
diff --git a/src/master/authorization.hpp b/src/master/authorization.hpp
index c0f083c..54c30f8 100644
--- a/src/master/authorization.hpp
+++ b/src/master/authorization.hpp
@@ -41,6 +41,11 @@ public:
const TaskInfo& task,
const FrameworkInfo& framework);
+ // Returns action-object pair for authorizing
+ // framework (re)registration or update.
+ static ActionObject frameworkRegistration(
+ const FrameworkInfo& frameworkInfo);
+
private:
Action action_;
Option<Object> object_;
diff --git a/src/master/master.cpp b/src/master/master.cpp
index a81ee79..ff76831 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -2237,37 +2237,11 @@ void Master::detected(const Future<Option<MasterInfo>>&
_leader)
Future<bool> Master::authorizeFramework(
const FrameworkInfo& frameworkInfo)
{
- if (authorizer.isNone()) {
- return true; // Authorization is disabled.
- }
-
- LOG(INFO) << "Authorizing framework principal '" << frameworkInfo.principal()
- << "' to receive offers for roles '"
- << stringify(protobuf::framework::getRoles(frameworkInfo)) << "'";
-
- authorization::Request request;
- request.set_action(authorization::REGISTER_FRAMEWORK);
-
- if (frameworkInfo.has_principal()) {
- request.mutable_subject()->set_value(frameworkInfo.principal());
- }
-
- request.mutable_object()->mutable_framework_info()->CopyFrom(frameworkInfo);
-
- // For non-`MULTI_ROLE` frameworks, also propagate its single role
- // via the request's `value` field. This is purely for backwards
- // compatibility as the `value` field is deprecated. Note that this
- // means that authorizers relying on the deprecated field will see
- // an empty string in `value` for `MULTI_ROLE` frameworks.
- //
- // TODO(bbannier): Remove this at the end of `value`'s deprecation
- // cycle, see MESOS-7073.
- if (!protobuf::frameworkHasCapability(
- frameworkInfo, FrameworkInfo::Capability::MULTI_ROLE)) {
- request.mutable_object()->set_value(frameworkInfo.role());
- }
-
- return authorizer.get()->authorized(request);
+ return authorize(
+ frameworkInfo.has_principal()
+ ? Option<Principal>(frameworkInfo.principal())
+ : Option<Principal>::none(),
+ ActionObject::frameworkRegistration(frameworkInfo));
}
