Review Request 61171: Enabled filtering of the 'GET_AGENTS' v1 API call.

Thu, 27 Jul 2017 00:06:40 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61171/
-----------------------------------------------------------

Review request for mesos, Adam B, Greg Mann, Quinn Leng, and Till Toenshoff.


Bugs: MESOS-7416
    https://issues.apache.org/jira/browse/MESOS-7416


Repository: mesos


Description
-------

Enables filtering of the results of calls to the 'GET_AGENTS' v1
API. It filters the contents of different resources entries based
on the 'VIEW_ROLE' permissions of the principal doing the request
based on resource roles, allocation roles and reservations.


Diffs
-----

  src/common/protobuf_utils.hpp 2156f6d158bfee16d29aa3531bdd156af581df01 
  src/common/protobuf_utils.cpp 4e5ab02c90ad8490efbcc471f7fd7c48be0c4678 
  src/master/http.cpp 9df086c417a9392f62d600c7a6486be0a1cf7e70 
  src/master/master.hpp 84465af782d4024f22463d981ef9d0ef7827d043 


Diff: https://reviews.apache.org/r/61171/diff/1/


Testing
-------

```shell
mkdir -p /tmp/mesos/master
mkdir -p /tmp/mesos/agent

# Create credentials
cat <<EOF > /tmp/mesos/credentials.txt
hal-9000 dave
glados potato
skynet connor
EOF

# Create ACLs
cat <<EOF > /tmp/mesos/acls.json
{
  "permissive": true,
  "view_roles" : [
   {
     "principals" : { "type" : "ANY" },
     "roles" : { "values" : ["*"] }
   },
   {
     "principals" : { "values" : ["hal-9000"] },
     "roles" : { "values" : ["space-odyssey"] }
   },
   {
     "principals" : { "values" : ["hal-9000"] },
     "roles" : { "type" : "NONE" }
   },
   {
     "principals" : { "values" : ["glados"] },
     "roles" : { "values" : ["portal"] }
   },
   {
     "principals" : { "values" : ["glados"] },
     "roles" : { "type" : "NONE" }
   },
   {
     "principals" : { "values" : ["skynet"] },
     "roles" : { "values" : ["terminator"] }
   },
   {
     "principals" : { "values" : ["skynet"] },
     "roles" : { "type" : "NONE" }
   }
  ]
}
EOF

# Launch Master with some predefined roles.
./bin/mesos-master.sh \
    --work_dir=/tmp/mesos/master \
    --log_dir=/tmp/mesos/master/log \
    --authenticate_http \
    --credentials=/tmp/mesos/credentials.txt \
    --authenticate_http_frameworks \
    --http_framework_authenticators=basic \
    --http_authenticators=basic \
    --authenticate_http_readonly \
    --acls=/tmp/mesos/acls.json \
    --roles="space-odyssey,portal,terminator" &
    
# Launch Agent with static reservations for all roles.
sudo ./bin/mesos-agent.sh \
    --master=127.0.0.1:5050 \
    --work_dir=/tmp/mesos/agent \
    --authenticate_http_readwrite \
    --http_authenticators=basic \
    --http_credentials=/tmp/mesos/credentials.txt \
    --acls=/tmp/mesos/acls.json \
    
--resources='cpus(space-odyssey):2;cpus(portal):2;cpus(*):4;mem(space-odyssey):250;mem(portal):250;mem(*):10360;ports(space-odyssey):[31000-32000];ports(portal):[32001-33000];ports(*):[33001-35000];disk(space-odyssey):250;disk(portal):250;disk(*):1000'
 &
    
# Launch test framework.
./src/mesos-execute \
    --master=127.0.0.1:5050 \
    --command='while true; do echo "Hello World"; sleep 5; done;' \
    --resources="cpus:1;mem:128;disk:32;ports:[31002-31003]" \
    --role=space-odyssey \
    --name=hello-discovery \
    --principal=hal-9000 \
    --secret=dave &
    
# Create a dynamic reservation.    
cat > /tmp/resources.json <<EOM
[
  {
    "name": "cpus",
    "type": "SCALAR",
    "scalar": { "value": 2 },
    "role": "terminator",
    "reservation": {
      "principal": "skynet"
    }
  },
  {
    "name": "mem",
    "type": "SCALAR",
    "scalar": { "value": 250 },
    "role": "terminator",
    "reservation": {
      "principal": "skynet"
    }
  },
  {
    "name": "disk",
    "type": "SCALAR",
    "scalar": { "value": 250 },
    "role": "terminator",
    "reservation": {
      "principal": "skynet"
    }
  },
  {
    "name": "ports",
    "type": "RANGES",
    "ranges": {
      "range": [
        { 
          "begin": 33001,
          "end": 34000
        }
      ]
    },
    "role": "terminator",
    "reservation": {
      "principal": "skynet"
    }
  }
]
EOM

http \
    -a skynet:connor \
    -f POST \
    127.0.0.1:5050/master/reserve \
    slaveId=${SLAVE_ID} \
    resources=@/tmp/resources.json
    
    
# Create some quota.
cat > /tmp/quota.json <<EOM
{
  "role": "portal",
  "guarantee": [
    {
      "name": "cpus",
      "type": "SCALAR",
      "scalar": { "value": 2 }
    },
    {
      "name": "mem",
      "type": "SCALAR",
      "scalar": { "value": 250 }
    },
    {
      "name": "disk",
      "type": "SCALAR",
      "scalar": { "value": 250 }
    }
  ]
}
EOM

http \
    -a glados:potato \
    POST \
    127.0.0.1:5050/master/quota \
    @/tmp/quota.json
    
    
# Query the master with all users and check
# that only the information of his role is
# available.
http -a glados:potato -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS

http -a skynet:connor -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS

http -a hal-9000:dave -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS
```


Thanks,

Alexander Rojas

Reply via email to