----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/61171/#review181618 -----------------------------------------------------------
Looking good; one small comment below to consider. We should definitely add a test case for this as well. src/master/http.cpp Lines 2518-2520 (original), 2553-2555 (patched) <https://reviews.apache.org/r/61171/#comment257219> What about authorizing this field? It doesn't include dynamic reservation information, but there could be statically reserved resources with role information in `SlaveInfo`. I haven't verified that the recovered agents field does print the roles of static reservations, but it looks to me like it would? - Greg Mann On July 27, 2017, 7:48 a.m., Alexander Rojas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/61171/ > ----------------------------------------------------------- > > (Updated July 27, 2017, 7:48 a.m.) > > > Review request for mesos, Adam B, Greg Mann, Quinn Leng, and Till Toenshoff. > > > Bugs: MESOS-7416 > https://issues.apache.org/jira/browse/MESOS-7416 > > > Repository: mesos > > > Description > ------- > > Enables filtering of the results of calls to the 'GET_AGENTS' v1 > API. It filters the contents of different resources entries based > on the 'VIEW_ROLE' permissions of the principal doing the request > based on resource roles, allocation roles and reservations. > > > Diffs > ----- > > src/common/protobuf_utils.hpp 2156f6d158bfee16d29aa3531bdd156af581df01 > src/common/protobuf_utils.cpp 4e5ab02c90ad8490efbcc471f7fd7c48be0c4678 > src/master/http.cpp 9df086c417a9392f62d600c7a6486be0a1cf7e70 > src/master/master.hpp 84465af782d4024f22463d981ef9d0ef7827d043 > > > Diff: https://reviews.apache.org/r/61171/diff/2/ > > > Testing > ------- > > ```shell > mkdir -p /tmp/mesos/master > mkdir -p /tmp/mesos/agent > > # Create credentials > cat <<EOF > /tmp/mesos/credentials.txt > hal-9000 dave > glados potato > skynet connor > EOF > > # Create ACLs > cat <<EOF > /tmp/mesos/acls.json > { > "permissive": true, > "view_roles" : [ > { > "principals" : { "type" : "ANY" }, > "roles" : { "values" : ["*"] } > }, > { > "principals" : { "values" : ["hal-9000"] }, > "roles" : { "values" : ["space-odyssey"] } > }, > { > "principals" : { "values" : ["hal-9000"] }, > "roles" : { "type" : "NONE" } > }, > { > "principals" : { "values" : ["glados"] }, > "roles" : { "values" : ["portal"] } > }, > { > "principals" : { "values" : ["glados"] }, > "roles" : { "type" : "NONE" } > }, > { > "principals" : { "values" : ["skynet"] }, > "roles" : { "values" : ["terminator"] } > }, > { > "principals" : { "values" : ["skynet"] }, > "roles" : { "type" : "NONE" } > } > ] > } > EOF > > # Launch Master with some predefined roles. > ./bin/mesos-master.sh \ > --work_dir=/tmp/mesos/master \ > --log_dir=/tmp/mesos/master/log \ > --authenticate_http \ > --credentials=/tmp/mesos/credentials.txt \ > --authenticate_http_frameworks \ > --http_framework_authenticators=basic \ > --http_authenticators=basic \ > --authenticate_http_readonly \ > --acls=/tmp/mesos/acls.json \ > --roles="space-odyssey,portal,terminator" & > > # Launch Agent with static reservations for all roles. > sudo ./bin/mesos-agent.sh \ > --master=127.0.0.1:5050 \ > --work_dir=/tmp/mesos/agent \ > --authenticate_http_readwrite \ > --http_authenticators=basic \ > --http_credentials=/tmp/mesos/credentials.txt \ > --acls=/tmp/mesos/acls.json \ > > --resources='cpus(space-odyssey):2;cpus(portal):2;cpus(*):4;mem(space-odyssey):250;mem(portal):250;mem(*):10360;ports(space-odyssey):[31000-32000];ports(portal):[32001-33000];ports(*):[33001-35000];disk(space-odyssey):250;disk(portal):250;disk(*):1000' > & > > # Launch test framework. > ./src/mesos-execute \ > --master=127.0.0.1:5050 \ > --command='while true; do echo "Hello World"; sleep 5; done;' \ > --resources="cpus:1;mem:128;disk:32;ports:[31002-31003]" \ > --role=space-odyssey \ > --name=hello-discovery \ > --principal=hal-9000 \ > --secret=dave & > > # Create a dynamic reservation. > cat > /tmp/resources.json <<EOM > [ > { > "name": "cpus", > "type": "SCALAR", > "scalar": { "value": 2 }, > "role": "terminator", > "reservation": { > "principal": "skynet" > } > }, > { > "name": "mem", > "type": "SCALAR", > "scalar": { "value": 250 }, > "role": "terminator", > "reservation": { > "principal": "skynet" > } > }, > { > "name": "disk", > "type": "SCALAR", > "scalar": { "value": 250 }, > "role": "terminator", > "reservation": { > "principal": "skynet" > } > }, > { > "name": "ports", > "type": "RANGES", > "ranges": { > "range": [ > { > "begin": 33001, > "end": 34000 > } > ] > }, > "role": "terminator", > "reservation": { > "principal": "skynet" > } > } > ] > EOM > > http \ > -a skynet:connor \ > -f POST \ > 127.0.0.1:5050/master/reserve \ > slaveId=${SLAVE_ID} \ > resources=@/tmp/resources.json > > > # Create some quota. > cat > /tmp/quota.json <<EOM > { > "role": "portal", > "guarantee": [ > { > "name": "cpus", > "type": "SCALAR", > "scalar": { "value": 2 } > }, > { > "name": "mem", > "type": "SCALAR", > "scalar": { "value": 250 } > }, > { > "name": "disk", > "type": "SCALAR", > "scalar": { "value": 250 } > } > ] > } > EOM > > http \ > -a glados:potato \ > POST \ > 127.0.0.1:5050/master/quota \ > @/tmp/quota.json > > > # Query the master with all users and check > # that only the information of his role is > # available. > http -a glados:potato -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS > > http -a skynet:connor -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS > > http -a hal-9000:dave -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS > ``` > > > Thanks, > > Alexander Rojas > >
