----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/61171/#review181926 -----------------------------------------------------------
src/common/http.hpp Lines 274-275 (patched) <https://reviews.apache.org/r/61171/#comment257744> Maybe: "Authorizes resources using the provided acceptor. Accepts resources in both the pre- and post-reservation-refinement formats." src/common/http.cpp Lines 984 (patched) <https://reviews.apache.org/r/61171/#comment257745> Are you sure that this will hold for all recovered agents? What about an agent with statically-reserved resources? src/common/http.cpp Lines 985 (patched) <https://reviews.apache.org/r/61171/#comment257748> What about recovered agents which have provided dynamically-reserved resources upon reregistration? Would they have resources with the `reservation` and `role` fields set? src/master/http.cpp Line 811 (original), 818 (patched) <https://reviews.apache.org/r/61171/#comment257749> Not indented enough. src/master/http.cpp Lines 2529 (patched) <https://reviews.apache.org/r/61171/#comment257751> Not indented enough. src/tests/api_tests.cpp Lines 1701-1702 (patched) <https://reviews.apache.org/r/61171/#comment257767> s/assigned to/which are unreserved or reserved for/ src/tests/api_tests.cpp Lines 1727 (patched) <https://reviews.apache.org/r/61171/#comment257766> Hmmm I'm a bit confused by this expectation. The default credential should also be able to view unreserved resources, and I thought that we expect the unreserved `SlaveInfo.resources` to have `role == "*"`? src/tests/api_tests.cpp Lines 1739-1760 (patched) <https://reviews.apache.org/r/61171/#comment257768> This code still doesn't assert that the resources reserved for 'superhero' role _do_ in fact appear in the response, does it? i.e., if this response contained no role information at all (like the response for principal 2), these expectations would still pass, right? - Greg Mann On Aug. 1, 2017, 2:24 p.m., Alexander Rojas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/61171/ > ----------------------------------------------------------- > > (Updated Aug. 1, 2017, 2:24 p.m.) > > > Review request for mesos, Adam B, Greg Mann, Quinn Leng, and Till Toenshoff. > > > Bugs: MESOS-7416 > https://issues.apache.org/jira/browse/MESOS-7416 > > > Repository: mesos > > > Description > ------- > > Enables filtering of the results of calls to the 'GET_AGENTS' v1 > API. It filters the contents of different resources entries based > on the 'VIEW_ROLE' permissions of the principal doing the request > based on resource roles, allocation roles and reservations. > > > Diffs > ----- > > src/common/http.hpp ba8dda18a02f51d1a28e719f06ee4b51573dfbec > src/common/http.cpp dfd5f335e8a3745d047d4f9f5e8c821b2c22da5a > src/common/protobuf_utils.hpp 80d2edd452f3ffa38c40f9a21f8489799065c401 > src/common/protobuf_utils.cpp 49d3a229925f4aa107e3e5f762936c16318aeadb > src/master/http.cpp 9df086c417a9392f62d600c7a6486be0a1cf7e70 > src/master/master.hpp 84465af782d4024f22463d981ef9d0ef7827d043 > src/tests/api_tests.cpp 1d5b080c809248bdf4c76ddad382d714692c804b > > > Diff: https://reviews.apache.org/r/61171/diff/5/ > > > Testing > ------- > > ```shell > make check > ``` > > Manual test: > > ```shell > mkdir -p /tmp/mesos/master > mkdir -p /tmp/mesos/agent > > # Create credentials > cat <<EOF > /tmp/mesos/credentials.txt > hal-9000 dave > glados potato > skynet connor > EOF > > # Create ACLs > cat <<EOF > /tmp/mesos/acls.json > { > "permissive": true, > "view_roles" : [ > { > "principals" : { "type" : "ANY" }, > "roles" : { "values" : ["*"] } > }, > { > "principals" : { "values" : ["hal-9000"] }, > "roles" : { "values" : ["space-odyssey"] } > }, > { > "principals" : { "values" : ["hal-9000"] }, > "roles" : { "type" : "NONE" } > }, > { > "principals" : { "values" : ["glados"] }, > "roles" : { "values" : ["portal"] } > }, > { > "principals" : { "values" : ["glados"] }, > "roles" : { "type" : "NONE" } > }, > { > "principals" : { "values" : ["skynet"] }, > "roles" : { "values" : ["terminator"] } > }, > { > "principals" : { "values" : ["skynet"] }, > "roles" : { "type" : "NONE" } > } > ] > } > EOF > > # Launch Master with some predefined roles. > ./bin/mesos-master.sh \ > --work_dir=/tmp/mesos/master \ > --log_dir=/tmp/mesos/master/log \ > --authenticate_http \ > --credentials=/tmp/mesos/credentials.txt \ > --authenticate_http_frameworks \ > --http_framework_authenticators=basic \ > --http_authenticators=basic \ > --authenticate_http_readonly \ > --acls=/tmp/mesos/acls.json \ > --roles="space-odyssey,portal,terminator" & > > # Launch Agent with static reservations for all roles. > sudo ./bin/mesos-agent.sh \ > --master=127.0.0.1:5050 \ > --work_dir=/tmp/mesos/agent \ > --authenticate_http_readwrite \ > --http_authenticators=basic \ > --http_credentials=/tmp/mesos/credentials.txt \ > --acls=/tmp/mesos/acls.json \ > > --resources='cpus(space-odyssey):2;cpus(portal):2;cpus(*):4;mem(space-odyssey):250;mem(portal):250;mem(*):10360;ports(space-odyssey):[31000-32000];ports(portal):[32001-33000];ports(*):[33001-35000];disk(space-odyssey):250;disk(portal):250;disk(*):1000' > & > > # Launch test framework. > ./src/mesos-execute \ > --master=127.0.0.1:5050 \ > --command='while true; do echo "Hello World"; sleep 5; done;' \ > --resources="cpus:1;mem:128;disk:32;ports:[31002-31003]" \ > --role=space-odyssey \ > --name=hello-discovery \ > --principal=hal-9000 \ > --secret=dave & > > # Create a dynamic reservation. > cat > /tmp/resources.json <<EOM > [ > { > "name": "cpus", > "type": "SCALAR", > "scalar": { "value": 2 }, > "role": "terminator", > "reservation": { > "principal": "skynet" > } > }, > { > "name": "mem", > "type": "SCALAR", > "scalar": { "value": 250 }, > "role": "terminator", > "reservation": { > "principal": "skynet" > } > }, > { > "name": "disk", > "type": "SCALAR", > "scalar": { "value": 250 }, > "role": "terminator", > "reservation": { > "principal": "skynet" > } > }, > { > "name": "ports", > "type": "RANGES", > "ranges": { > "range": [ > { > "begin": 33001, > "end": 34000 > } > ] > }, > "role": "terminator", > "reservation": { > "principal": "skynet" > } > } > ] > EOM > > http \ > -a skynet:connor \ > -f POST \ > 127.0.0.1:5050/master/reserve \ > slaveId=${SLAVE_ID} \ > resources=@/tmp/resources.json > > > # Create some quota. > cat > /tmp/quota.json <<EOM > { > "role": "portal", > "guarantee": [ > { > "name": "cpus", > "type": "SCALAR", > "scalar": { "value": 2 } > }, > { > "name": "mem", > "type": "SCALAR", > "scalar": { "value": 250 } > }, > { > "name": "disk", > "type": "SCALAR", > "scalar": { "value": 250 } > } > ] > } > EOM > > http \ > -a glados:potato \ > POST \ > 127.0.0.1:5050/master/quota \ > @/tmp/quota.json > > > # Query the master with all users and check > # that only the information of his role is > # available. > http -a glados:potato -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS > > http -a skynet:connor -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS > > http -a hal-9000:dave -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS > ``` > > > Thanks, > > Alexander Rojas > >
