mesos-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m.@apache.org
Subject [3/3] mesos git commit: Added authentication to agent's /monitor/statistics endpoint.
Date Thu, 14 Apr 2016 11:35:57 GMT
Added authentication to agent's /monitor/statistics endpoint.

Review: https://reviews.apache.org/r/46085/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/e893f495
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/e893f495
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/e893f495

Branch: refs/heads/master
Commit: e893f4959ec6aa075ebcf721661172499f28a3d2
Parents: b372c8d
Author: Benjamin Bannier <benjamin.bannier@mesosphere.io>
Authored: Thu Apr 14 03:35:45 2016 -0700
Committer: Adam B <adam@mesosphere.io>
Committed: Thu Apr 14 03:35:45 2016 -0700

----------------------------------------------------------------------
 src/slave/http.cpp        |  4 ++-
 src/slave/slave.cpp       | 12 ++++++---
 src/slave/slave.hpp       |  3 ++-
 src/tests/slave_tests.cpp | 60 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 73 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/e893f495/src/slave/http.cpp
----------------------------------------------------------------------
diff --git a/src/slave/http.cpp b/src/slave/http.cpp
index 922aaad..3f96f2c 100644
--- a/src/slave/http.cpp
+++ b/src/slave/http.cpp
@@ -591,7 +591,9 @@ string Slave::Http::STATISTICS_HELP()
 }
 
 
-Future<Response> Slave::Http::statistics(const Request& request) const
+Future<Response> Slave::Http::statistics(
+    const Request& request,
+    const Option<string>& /* principal */) const
 {
   return statisticsLimiter->acquire()
     .then(defer(slave->self(), &Slave::usage))

http://git-wip-us.apache.org/repos/asf/mesos/blob/e893f495/src/slave/slave.cpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.cpp b/src/slave/slave.cpp
index 49fa4a0..de99e9e 100644
--- a/src/slave/slave.cpp
+++ b/src/slave/slave.cpp
@@ -742,16 +742,20 @@ void Slave::initialize()
           return http.health(request);
         });
   route("/monitor/statistics",
+        DEFAULT_HTTP_AUTHENTICATION_REALM,
         Http::STATISTICS_HELP(),
-        [http](const process::http::Request& request) {
-          return http.statistics(request);
+        [http](const process::http::Request& request,
+               const Option<string>& principal) {
+          return http.statistics(request, principal);
         });
   // TODO(ijimenez): Remove this endpoint at the end of the
   // deprecation cycle on 0.26.
   route("/monitor/statistics.json",
+        DEFAULT_HTTP_AUTHENTICATION_REALM,
         Http::STATISTICS_HELP(),
-        [http](const process::http::Request& request) {
-          return http.statistics(request);
+        [http](const process::http::Request& request,
+               const Option<string>& principal) {
+          return http.statistics(request, principal);
         });
 
   // Expose the log file for the webui. Fall back to 'log_dir' if

http://git-wip-us.apache.org/repos/asf/mesos/blob/e893f495/src/slave/slave.hpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.hpp b/src/slave/slave.hpp
index 76f3aff..f78c1b4 100644
--- a/src/slave/slave.hpp
+++ b/src/slave/slave.hpp
@@ -448,7 +448,8 @@ private:
     // /slave/monitor/statistics
     // /slave/monitor/statistics.json
     process::Future<process::http::Response> statistics(
-        const process::http::Request& request) const;
+        const process::http::Request& request,
+        const Option<std::string>& /* principal */) const;
 
     static std::string EXECUTOR_HELP();
     static std::string FLAGS_HELP();

http://git-wip-us.apache.org/repos/asf/mesos/blob/e893f495/src/tests/slave_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/slave_tests.cpp b/src/tests/slave_tests.cpp
index fd12f3b..ee58488 100644
--- a/src/tests/slave_tests.cpp
+++ b/src/tests/slave_tests.cpp
@@ -27,6 +27,8 @@
 #include <mesos/executor.hpp>
 #include <mesos/scheduler.hpp>
 
+#include <mesos/authentication/http/basic_authenticator_factory.hpp>
+
 #include <process/clock.hpp>
 #include <process/future.hpp>
 #include <process/gmock.hpp>
@@ -1830,6 +1832,64 @@ TEST_F(SlaveTest, StatisticsEndpointRunningExecutor)
 }
 
 
+// This test confirms that an agent's statistics endpoint is
+// authenticated. We rely on the agent implicitly having HTTP
+// authentication enabled.
+TEST_F(SlaveTest, StatisticsEndpointAuthentication)
+{
+  Try<Owned<cluster::Master>> master = StartMaster();
+  ASSERT_SOME(master);
+
+  Owned<MasterDetector> detector = master.get()->createDetector();
+
+  Try<Owned<cluster::Slave>> agent = StartSlave(detector.get());
+  ASSERT_SOME(agent);
+
+  const string statisticsEndpoints[] =
+    {"monitor/statistics", "monitor/statistics.json"};
+
+  foreach (const string& statisticsEndpoint, statisticsEndpoints) {
+    // Unauthenticated requests are rejected.
+    {
+      Future<Response> response = process::http::get(
+          agent.get()->pid,
+          statisticsEndpoint);
+
+      AWAIT_EXPECT_RESPONSE_STATUS_EQ(Unauthorized({}).status, response)
+          << response.get().body;
+    }
+
+    // Incorrectly authenticated requests are rejected.
+    {
+      Credential badCredential;
+      badCredential.set_principal("badPrincipal");
+      badCredential.set_secret("badSecret");
+
+      Future<Response> response = process::http::get(
+          agent.get()->pid,
+          statisticsEndpoint,
+          None(),
+          createBasicAuthHeaders(badCredential));
+
+      AWAIT_EXPECT_RESPONSE_STATUS_EQ(Unauthorized({}).status, response)
+          << response.get().body;
+    }
+
+    // Correctly authenticated requests succeed.
+    {
+      Future<Response> response = process::http::get(
+          agent.get()->pid,
+          statisticsEndpoint,
+          None(),
+          createBasicAuthHeaders(DEFAULT_CREDENTIAL));
+
+      AWAIT_EXPECT_RESPONSE_STATUS_EQ(OK().status, response)
+          << response.get().body;
+    }
+  }
+}
+
+
 // This test ensures that when a slave is shutting down, it will not
 // try to re-register with the master.
 TEST_F(SlaveTest, DISABLED_TerminatingSlaveDoesNotReregister)


Mime
View raw message