mesos-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ti...@apache.org
Subject [3/3] mesos git commit: Added flag for enabling HTTP authentication.
Date Fri, 08 Jan 2016 03:22:18 GMT
Added flag for enabling HTTP authentication.

Adds new `authenticate_http` flag to the master.
Also updates some tests that were using the credentials
for de/activating HTTP authentication.

Review: https://reviews.apache.org/r/42025/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/9f6a2aab
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/9f6a2aab
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/9f6a2aab

Branch: refs/heads/master
Commit: 9f6a2aab4717780c1e98a05b0f1be3a19a554d20
Parents: b294c3c
Author: Till Toenshoff <toenshoff@me.com>
Authored: Thu Jan 7 14:04:10 2016 +0100
Committer: Till Toenshoff <toenshoff@me.com>
Committed: Fri Jan 8 04:19:43 2016 +0100

----------------------------------------------------------------------
 docs/configuration.md            | 12 +++++++++
 src/master/flags.cpp             |  7 +++++
 src/master/flags.hpp             |  1 +
 src/master/master.cpp            | 51 ++++++++++++++++++++---------------
 src/tests/master_quota_tests.cpp |  8 +++---
 src/tests/mesos.cpp              |  1 +
 6 files changed, 54 insertions(+), 26 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/9f6a2aab/docs/configuration.md
----------------------------------------------------------------------
diff --git a/docs/configuration.md b/docs/configuration.md
index 705ea7a..cbe7f5a 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -336,6 +336,18 @@ file:///path/to/file (where file contains one of the above)</code></pre>
   </tr>
   <tr>
     <td>
+      --[no-]authenticate_http
+    </td>
+    <td>
+      If <code>true</code> only authenticated requests for HTTP endpoints
+      supporting authentication are allowed.
+      <p/>
+      If <code>false</code> unauthenticated HTTP endpoint requests are also allowed.
+      (default: false)
+    </td>
+  </tr>
+  <tr>
+    <td>
       --authenticators=VALUE
     </td>
     <td>

http://git-wip-us.apache.org/repos/asf/mesos/blob/9f6a2aab/src/master/flags.cpp
----------------------------------------------------------------------
diff --git a/src/master/flags.cpp b/src/master/flags.cpp
index de068ee..8890959 100644
--- a/src/master/flags.cpp
+++ b/src/master/flags.cpp
@@ -207,6 +207,13 @@ mesos::internal::master::Flags::Flags()
       "If 'false' unauthenticated slaves are also allowed to register.",
       false);
 
+  add(&Flags::authenticate_http,
+      "authenticate_http",
+      "If 'true' only authenticated requests for HTTP endpoints supporting\n"
+      "authentication are allowed.\n"
+      "If 'false' unauthenticated HTTP endpoint requests are also allowed.\n",
+      false);
+
   add(&Flags::credentials,
       "credentials",
       "Either a path to a text file with a list of credentials,\n"

http://git-wip-us.apache.org/repos/asf/mesos/blob/9f6a2aab/src/master/flags.hpp
----------------------------------------------------------------------
diff --git a/src/master/flags.hpp b/src/master/flags.hpp
index c3dae1c..d923b1b 100644
--- a/src/master/flags.hpp
+++ b/src/master/flags.hpp
@@ -66,6 +66,7 @@ public:
   Option<std::string> weights;
   bool authenticate_frameworks;
   bool authenticate_slaves;
+  bool authenticate_http;
   Option<Path> credentials;
   Option<ACLs> acls;
   Option<Firewall> firewall_rules;

http://git-wip-us.apache.org/repos/asf/mesos/blob/9f6a2aab/src/master/master.cpp
----------------------------------------------------------------------
diff --git a/src/master/master.cpp b/src/master/master.cpp
index 44c5193..2d9b7f9 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -522,30 +522,37 @@ void Master::initialize()
 
   Option<authentication::Authenticator*> httpAuthenticator;
 
-  if (httpAuthenticatorNames[0] == DEFAULT_HTTP_AUTHENTICATOR &&
-      credentials.isSome()) {
-    LOG(INFO) << "Using default '" << DEFAULT_HTTP_AUTHENTICATOR
-              << "' HTTP authenticator";
-
-    Try<authentication::Authenticator*> authenticator =
-      BasicAuthenticatorFactory::create(credentials.get());
-    if (authenticator.isError()) {
-      EXIT(1) << "Could not create HTTP authenticator module '"
-              << httpAuthenticatorNames[0] << "': " << authenticator.error();
-    }
+  if (flags.authenticate_http) {
+    if (httpAuthenticatorNames[0] == DEFAULT_HTTP_AUTHENTICATOR) {
+      if (credentials.isNone()) {
+        EXIT(1) << "No credentials provided for the default '"
+                << DEFAULT_HTTP_AUTHENTICATOR
+                << "' HTTP authenticator";
+      }
 
-    httpAuthenticator = authenticator.get();
-  } else if (httpAuthenticatorNames[0] != DEFAULT_HTTP_AUTHENTICATOR) {
-    Try<authentication::Authenticator*> module =
-      modules::ModuleManager::create<authentication::Authenticator>(
-          httpAuthenticatorNames[0]);
-    if (module.isError()) {
-      EXIT(1) << "Could not create HTTP authenticator module '"
-              << httpAuthenticatorNames[0] << "': " << module.error();
+      LOG(INFO) << "Using default '" << DEFAULT_HTTP_AUTHENTICATOR
+                << "' HTTP authenticator";
+
+      Try<authentication::Authenticator*> authenticator =
+        BasicAuthenticatorFactory::create(credentials.get());
+      if (authenticator.isError()) {
+        EXIT(1) << "Could not create HTTP authenticator module '"
+                << httpAuthenticatorNames[0] << "': " << authenticator.error();
+      }
+
+      httpAuthenticator = authenticator.get();
+    } else {
+      Try<authentication::Authenticator*> module =
+        modules::ModuleManager::create<authentication::Authenticator>(
+            httpAuthenticatorNames[0]);
+      if (module.isError()) {
+        EXIT(1) << "Could not create HTTP authenticator module '"
+                << httpAuthenticatorNames[0] << "': " << module.error();
+      }
+      LOG(INFO) << "Using '" << httpAuthenticatorNames[0]
+                << "' HTTP authenticator";
+      httpAuthenticator = module.get();
     }
-    LOG(INFO) << "Using '" << httpAuthenticatorNames[0]
-              << "' HTTP authenticator";
-    httpAuthenticator = module.get();
   }
 
   if (httpAuthenticator.isSome() && httpAuthenticator.get() != NULL) {

http://git-wip-us.apache.org/repos/asf/mesos/blob/9f6a2aab/src/tests/master_quota_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/master_quota_tests.cpp b/src/tests/master_quota_tests.cpp
index 1bf08ab..776a168 100644
--- a/src/tests/master_quota_tests.cpp
+++ b/src/tests/master_quota_tests.cpp
@@ -1094,14 +1094,14 @@ TEST_F(MasterQuotaTest, NoAuthenticationNoAuthorization)
   TestAllocator<> allocator;
   EXPECT_CALL(allocator, initialize(_, _, _, _));
 
-  // Disable authentication and authorization by providing neither
-  // credentials nor ACLs.
+  // Disable authentication and authorization.
   // TODO(alexr): Setting master `--acls` flag to `ACLs()` or `None()` seems
   // to be semantically equal, however, the test harness currently does not
   // allow `None()`. Once MESOS-4196 is resolved, use `None()` for clarity.
   master::Flags masterFlags = CreateMasterFlags();
-  masterFlags.credentials = None();
   masterFlags.acls = ACLs();
+  masterFlags.authenticate_http = false;
+  masterFlags.credentials = None();
 
   Try<PID<Master>> master = StartMaster(&allocator, masterFlags);
   ASSERT_SOME(master);
@@ -1353,9 +1353,9 @@ TEST_F(MasterQuotaTest, AuthorizeQuotaRequestsWithoutPrincipal)
   acl2->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
   acl2->mutable_quota_principals()->set_type(mesos::ACL::Entity::ANY);
 
-  // Disable authentication by not providing credentials.
   master::Flags masterFlags = CreateMasterFlags();
   masterFlags.acls = acls;
+  masterFlags.authenticate_http = false;
   masterFlags.credentials = None();
 
   Try<PID<Master>> master = StartMaster(&allocator, masterFlags);

http://git-wip-us.apache.org/repos/asf/mesos/blob/9f6a2aab/src/tests/mesos.cpp
----------------------------------------------------------------------
diff --git a/src/tests/mesos.cpp b/src/tests/mesos.cpp
index 4208847..365ebe8 100644
--- a/src/tests/mesos.cpp
+++ b/src/tests/mesos.cpp
@@ -95,6 +95,7 @@ master::Flags MesosTest::CreateMasterFlags()
 
   CHECK_SOME(os::mkdir(flags.work_dir.get()));
 
+  flags.authenticate_http = true;
   flags.authenticate_frameworks = true;
   flags.authenticate_slaves = true;
 


Mime
View raw message