[
https://issues.apache.org/jira/browse/MESOS-6999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15941875#comment-15941875
]
Greg Mann commented on MESOS-6999:
----------------------------------
{code}
commit 02c7083af8d267f5e403b56e392d6ec60fc4dee9
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:06:09 2017 -0700
Added new tests for executor secret generation.
This patch adds new tests,
`SlaveTest.RunTaskGroupFailedSecretGeneration` and
`SlaveTest.RunTaskGroupInvalidExecutorSecret`, to
verify the agent's behavior when generation of the
executor secret fails.
Review: https://reviews.apache.org/r/57883/
{code}
{code}
commit d11dd0e6c1daa9724642ad57db94bdfd12436d22
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:06:06 2017 -0700
Added a new unmocked method to the mock agent.
This patch adds a new method to the mock agent,
`MockSlave::unmocked_executorTerminated`. This will
facilitate the testing of executor secret generation,
as it allows us to forward the mock function call to
the base class method.
Review: https://reviews.apache.org/r/57891/
{code}
{code}
commit ca58a52346c72cbfed703f2809894bf373f963e3
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:06:02 2017 -0700
Added SecretGenerator injection to the MockSlave.
This patch adds an overload of `Slave::initialize` to the
mock slave for the purpose of injecting a secret generator.
Review: https://reviews.apache.org/r/57882/
{code}
{code}
commit 8f35d5269d844f361e4a544ce50cf2230c247001
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:05:58 2017 -0700
Added a 'MockSecretGenerator'.
This patch adds a mock secret generator, which will
be used for testing failure scenarios involving
executor secret generation.
Review: https://reviews.apache.org/r/57880/
{code}
{code}
commit 3d822865e84d997e37e4b37cbe8c58531980a9d4
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:05:45 2017 -0700
Changed the agent's SecretGenerator from Owned to pointer.
This patch updates the agent to hold its `SecretGenerator` as a
raw pointer instead of an `Owned` object. This is more consistent
with the other dependencies injected into the agent, and makes it
easier to test the agent with a mock secret generator.
Review: https://reviews.apache.org/r/57923/
{code}
{code}
commit 3f9bf3798188c384253ab3c31c3dba4831aec48b
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:05:24 2017 -0700
Turned on executor authentication in the 'DefaultExecutorTests'.
Now that executor authentication has been added, this patch
enables authentication for the agent's operator endpoint in
the DefaultExecutorTests. This is only done when build with
SSL, since executor authentication currently has SSL as a
dependency.
Review: https://reviews.apache.org/r/57879/
{code}
{code}
commit 4050eb2c9d24ebc68fbf2efdc3e0601e50e1aacd
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:05:22 2017 -0700
Updated 'SchedulerTest.TaskGroupRunning'.
This patch updates the test `SchedulerTest.TaskGroupRunning`
to confirm that the agent-side code responsible for launching
task groups works correctly. Previously, this test only
verified that the `RunTaskGroupMessage` was sent to the agent.
Review: https://reviews.apache.org/r/57807/
{code}
{code}
commit 2f6bb1fdd6f4872583e723851bd87ed09378d547
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:05:19 2017 -0700
Turned off executor authentication in the ExecutorHttpApiTests.
This patch turns off executor authentication in the
ExecutorHttpApiTests, since authentication is not related
to the functionality they are meant to test. Since executor
tokens depend on the FrameworkID/ExecutorID/ContainerID of
the executor, it would be difficult to enable it in these
tests.
Review: https://reviews.apache.org/r/57750/
{code}
{code}
commit 95dcb6faf19f4af7850a4cdbe9acdbb8b2aff4a3
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:05:15 2017 -0700
Enabled executor authentication in the tests.
This patch sets the `--authenticate_http_executors` and
`--executor_secret_key` flags by default in the tests,
and it updates the test cluster code to load a secret
generator when those flags are set.
Review: https://reviews.apache.org/r/57748/
{code}
{code}
commit 873497f2718f91d86746ce2266376c7f442c8c5f
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:05:09 2017 -0700
Fixed invocations of 'executorEnvironment' in the tests.
This patch updates invocations of `executorEnvironment` in the tests
to use the function's new signature, which accepts an authentication
token.
Review: https://reviews.apache.org/r/57747/
{code}
{code}
commit 8b6ddb5fcae38dcfad27cb5dae26b4054773134f
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:04:49 2017 -0700
Updated the agent to generate executor secrets.
This patch updates the agent code to generate executor
authentication tokens when executor authentication is
enabled. For now, the generated `Secret` objects must
be of `VALUE` type, and they're passed directly into the
executor environment.
Review: https://reviews.apache.org/r/57743/
{code}
{code}
commit 2fc8033624b0119e4ef77fa864f7735f07b3175f
Author: Greg Mann <[email protected]>
Date: Sat Mar 25 12:04:22 2017 -0700
Added a output operator overload for Secret::Type.
This patch adds an `operator<<` overload for the `Secret::Type`
protobuf enum to facilitate logging.
Review: https://reviews.apache.org/r/57929/
{code}
> Add agent support for generating and passing executor secrets
> -------------------------------------------------------------
>
> Key: MESOS-6999
> URL: https://issues.apache.org/jira/browse/MESOS-6999
> Project: Mesos
> Issue Type: Task
> Components: agent, security
> Reporter: Greg Mann
> Assignee: Greg Mann
> Labels: agent, executor, flags, mesosphere, security
>
> The agent must generate and pass executor secrets to all executors using the
> V1 API. For MVP, the agent will have this behavior by default when compiled
> with SSL support. To accomplish this, the agent must:
> * load the default {{SecretGenerator}} module
> * call the secret generator when launching an executor
> * pass the generated secret into the executor's environment
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
