mesos-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m.@apache.org
Subject [1/4] mesos git commit: Added authorization actions VIEW_CONTAINERS and SET_LOG_LEVEL.
Date Wed, 14 Dec 2016 03:37:21 GMT
Repository: mesos
Updated Branches:
  refs/heads/master bf223671a -> 959b97e90


Added authorization actions VIEW_CONTAINERS and SET_LOG_LEVEL.

Adds the authorization action `VIEW_CONTAINERS` which takes an object
of type `FrameworkInfo` and `ExecutorInfo` and optionally a
`CommandInfo`.

It also adds the authorization action `SET_LOG_LEVEL` which takes no
object.

Includes testing for the ACLs and interface.

Review: https://reviews.apache.org/r/54535/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/9ec8b5e9
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/9ec8b5e9
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/9ec8b5e9

Branch: refs/heads/master
Commit: 9ec8b5e9256e3001cfbedb17ca6272dfe31db73a
Parents: bf22367
Author: Alexander Rojas <alexander@mesosphere.io>
Authored: Tue Dec 13 17:01:11 2016 -0800
Committer: Adam B <adam@mesosphere.io>
Committed: Tue Dec 13 17:01:11 2016 -0800

----------------------------------------------------------------------
 include/mesos/authorizer/acls.proto       |  24 ++++
 include/mesos/authorizer/authorizer.proto |   7 ++
 src/authorizer/local/authorizer.cpp       |  48 ++++++++
 src/tests/authorization_tests.cpp         | 152 +++++++++++++++++++++++++
 4 files changed, 231 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/9ec8b5e9/include/mesos/authorizer/acls.proto
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/acls.proto b/include/mesos/authorizer/acls.proto
index 3499cac..fd25e54 100644
--- a/include/mesos/authorizer/acls.proto
+++ b/include/mesos/authorizer/acls.proto
@@ -345,6 +345,28 @@ message ACL {
     // nested containers can be waited on.
     required Entity users = 2;
   }
+
+  // Which principals are authorized to see the container metadata of a
+  // container whose executor is running as the given operating system user.
+  message ViewContainer {
+    // Subjects: HTTP Username.
+    required Entity principals = 1;
+
+    // Objects: The list of operating system users (e.g., linux users) whose
+    // container metadata can viewed.
+    required Entity users = 2;
+  }
+
+  // Which principals are authorized to change the log level of the
+  // master/agent.
+  message SetLogLevel {
+    // Subjects: HTTP Username.
+    required Entity principals = 1;
+
+    // Objects: Given implicitly. Use Entity type ANY or NONE to allow or deny
+    // access.
+    required Entity level = 2;
+  }
 }
 
 
@@ -408,4 +430,6 @@ message ACLs {
       launch_nested_container_sessions_under_parent_with_user = 28;
   repeated ACL.AttachContainerInput attach_containers_input = 29;
   repeated ACL.AttachContainerOutput attach_containers_output = 30;
+  repeated ACL.ViewContainer view_containers = 31;
+  repeated ACL.SetLogLevel set_log_level = 32;
 }

http://git-wip-us.apache.org/repos/asf/mesos/blob/9ec8b5e9/include/mesos/authorizer/authorizer.proto
----------------------------------------------------------------------
diff --git a/include/mesos/authorizer/authorizer.proto b/include/mesos/authorizer/authorizer.proto
index b7371cd..8b860a3 100644
--- a/include/mesos/authorizer/authorizer.proto
+++ b/include/mesos/authorizer/authorizer.proto
@@ -174,6 +174,13 @@ enum Action {
 
   // This action will set objects of type `ExecutorInfo` and `FrameworkInfo`.
   ATTACH_CONTAINER_OUTPUT = 24;
+
+  // This action will set objects of type `ExecutorInfo` and `FrameworkInfo`.
+  VIEW_CONTAINER = 25;
+
+  // This action will not fill in any object fields, since a principal is
+  // either allowed to change the log level or he is unauthorized.
+  SET_LOG_LEVEL = 26;
 }
 
 

http://git-wip-us.apache.org/repos/asf/mesos/blob/9ec8b5e9/src/authorizer/local/authorizer.cpp
----------------------------------------------------------------------
diff --git a/src/authorizer/local/authorizer.cpp b/src/authorizer/local/authorizer.cpp
index 3b983d0..b98e1fc 100644
--- a/src/authorizer/local/authorizer.cpp
+++ b/src/authorizer/local/authorizer.cpp
@@ -487,6 +487,26 @@ public:
 
           break;
         }
+        case authorization::VIEW_CONTAINER: {
+          aclObject.set_type(mesos::ACL::Entity::ANY);
+
+          if (object->executor_info != nullptr &&
+              object->executor_info->command().has_user()) {
+            aclObject.add_values(object->executor_info->command().user());
+            aclObject.set_type(mesos::ACL::Entity::SOME);
+          } else if (object->framework_info != nullptr &&
+              object->framework_info->has_user()) {
+            aclObject.add_values(object->framework_info->user());
+            aclObject.set_type(mesos::ACL::Entity::SOME);
+          }
+
+          break;
+        }
+        case authorization::SET_LOG_LEVEL: {
+          aclObject.set_type(mesos::ACL::Entity::ANY);
+
+          break;
+        }
         case authorization::UNKNOWN:
           LOG(WARNING) << "Authorization for action '" << action_
                        << "' is not defined and therefore not authorized";
@@ -1005,6 +1025,28 @@ private:
 
         return acls_;
         break;
+      case authorization::SET_LOG_LEVEL:
+        foreach (const ACL::SetLogLevel& acl, acls.set_log_level()) {
+          GenericACL acl_;
+          acl_.subjects = acl.principals();
+          acl_.objects = acl.level();
+
+          acls_.push_back(acl_);
+        }
+
+        return acls_;
+        break;
+      case authorization::VIEW_CONTAINER:
+        foreach (const ACL::ViewContainer& acl, acls.view_containers()) {
+          GenericACL acl_;
+          acl_.subjects = acl.principals();
+          acl_.objects = acl.users();
+
+          acls_.push_back(acl_);
+        }
+
+        return acls_;
+        break;
       case authorization::LAUNCH_NESTED_CONTAINER_SESSION:
       case authorization::LAUNCH_NESTED_CONTAINER:
         return Error("Extracting ACLs for launching nested containers requires "
@@ -1079,6 +1121,12 @@ Option<Error> LocalAuthorizer::validate(const ACLs& acls)
     }
   }
 
+  foreach (const ACL::SetLogLevel& acl, acls.set_log_level()) {
+    if (acl.level().type() == ACL::Entity::SOME) {
+      return Error("acls.set_log_level type must be either NONE or ANY");
+    }
+  }
+
   foreach (const ACL::GetEndpoint& acl, acls.get_endpoints()) {
     if (acl.paths().type() == ACL::Entity::SOME) {
       foreach (const string& path, acl.paths().values()) {

http://git-wip-us.apache.org/repos/asf/mesos/blob/9ec8b5e9/src/tests/authorization_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/authorization_tests.cpp b/src/tests/authorization_tests.cpp
index f70d60d..42edecc 100644
--- a/src/tests/authorization_tests.cpp
+++ b/src/tests/authorization_tests.cpp
@@ -1919,6 +1919,105 @@ TYPED_TEST(AuthorizationTest, ViewFramework)
 }
 
 
+// This tests the authorization of requests to ViewContainer.
+TYPED_TEST(AuthorizationTest, ViewContainer)
+{
+  // Setup ACLs.
+  ACLs acls;
+
+  {
+    // "foo" principal can view no containers.
+    mesos::ACL::ViewContainer* acl = acls.add_view_containers();
+    acl->mutable_principals()->add_values("foo");
+    acl->mutable_users()->set_type(mesos::ACL::Entity::NONE);
+  }
+
+  {
+    // "bar" principal can see containers running under user "bar".
+    mesos::ACL::ViewContainer* acl = acls.add_view_containers();
+    acl->mutable_principals()->add_values("bar");
+    acl->mutable_users()->add_values("bar");
+  }
+
+  {
+    // "ops" principal can see all containers.
+    mesos::ACL::ViewContainer* acl = acls.add_view_containers();
+    acl->mutable_principals()->add_values("ops");
+    acl->mutable_users()->set_type(mesos::ACL::Entity::ANY);
+  }
+
+  {
+    // No one else can view any containers.
+    mesos::ACL::ViewContainer* acl = acls.add_view_containers();
+    acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
+    acl->mutable_users()->set_type(mesos::ACL::Entity::NONE);
+  }
+
+  // Create an `Authorizer` with the ACLs.
+  Try<Authorizer*> create = TypeParam::create(parameterize(acls));
+  ASSERT_SOME(create);
+  Owned<Authorizer> authorizer(create.get());
+
+  // Create FrameworkInfo with a generic user as object to be authorized.
+  FrameworkInfo frameworkInfo;
+  {
+    frameworkInfo.set_user("user");
+    frameworkInfo.set_name("f");
+  }
+
+  // Create FrameworkInfo with user "bar" as object to be authorized.
+  FrameworkInfo frameworkInfoBar;
+  {
+    frameworkInfoBar.set_user("bar");
+    frameworkInfoBar.set_name("f");
+  }
+
+  // Principal "foo" cannot view containers running with user "user".
+  {
+    authorization::Request request;
+    request.set_action(authorization::VIEW_CONTAINER);
+    request.mutable_subject()->set_value("foo");
+    request.mutable_object()->mutable_framework_info()->MergeFrom(
+        frameworkInfo);
+
+    AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+  }
+
+  // Principal "bar" cannot view containers running with user "user".
+  {
+    authorization::Request request;
+    request.set_action(authorization::VIEW_CONTAINER);
+    request.mutable_subject()->set_value("bar");
+    request.mutable_object()->mutable_framework_info()->MergeFrom(
+        frameworkInfo);
+
+    AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+  }
+
+  // Principal "ops" can view containers running with user "user".
+  {
+    authorization::Request request;
+    request.set_action(authorization::VIEW_CONTAINER);
+    request.mutable_subject()->set_value("ops");
+    request.mutable_object()->mutable_framework_info()->MergeFrom(
+        frameworkInfo);
+
+    AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+  }
+
+  // Principal "bar" can view containers running with user "bar".
+  {
+    authorization::Request request;
+    request.set_action(authorization::VIEW_CONTAINER);
+    request.mutable_subject()->set_value("bar");
+    request.mutable_object()->mutable_framework_info()->MergeFrom(
+        frameworkInfoBar);
+
+    AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+  }
+}
+
+
 // This tests the authorization of requests to ViewTasks.
 TYPED_TEST(AuthorizationTest, ViewTask)
 {
@@ -3825,6 +3924,59 @@ TYPED_TEST(AuthorizationTest, ViewFlags)
 }
 
 
+TYPED_TEST(AuthorizationTest, SetLogLevel)
+{
+  // Setup ACLs.
+  ACLs acls;
+
+  {
+    // "foo" principal can set log level.
+    mesos::ACL::SetLogLevel* acl = acls.add_set_log_level();
+    acl->mutable_principals()->add_values("foo");
+    acl->mutable_level()->set_type(mesos::ACL::Entity::ANY);
+  }
+
+  {
+    // Nobody else can set log level.
+    mesos::ACL::SetLogLevel* acl = acls.add_set_log_level();
+    acl->mutable_principals()->set_type(mesos::ACL::Entity::ANY);
+    acl->mutable_level()->set_type(mesos::ACL::Entity::NONE);
+  }
+
+  // Create an `Authorizer` with the ACLs.
+  Try<Authorizer*> create = TypeParam::create(parameterize(acls));
+  ASSERT_SOME(create);
+  Owned<Authorizer> authorizer(create.get());
+
+  {
+    authorization::Request request;
+    request.set_action(authorization::SET_LOG_LEVEL);
+    request.mutable_subject()->set_value("foo");
+
+    AWAIT_EXPECT_TRUE(authorizer.get()->authorized(request));
+  }
+
+  {
+    authorization::Request request;
+    request.set_action(authorization::SET_LOG_LEVEL);
+    request.mutable_subject()->set_value("bar");
+    AWAIT_EXPECT_FALSE(authorizer.get()->authorized(request));
+  }
+
+  // Test that no authorizer is created with invalid ACLs.
+  {
+    ACLs invalid;
+
+    mesos::ACL::SetLogLevel* acl = invalid.add_set_log_level();
+    acl->mutable_principals()->add_values("foo");
+    acl->mutable_level()->add_values("yoda");
+
+    Try<Authorizer*> create = TypeParam::create(parameterize(invalid));
+    EXPECT_ERROR(create);
+  }
+}
+
+
 // This tests the authorization of ACLs used for unreserve
 // operations on dynamically reserved resources.
 TYPED_TEST(AuthorizationTest, ValidateEndpoints)


Mime
View raw message