Apache Mesos
Public Member Functions | Static Public Member Functions | Protected Member Functions | List of all members
mesos::Authorizer Class Referenceabstract

This interface is used to enable an identity service or any other back end to check authorization policies for a set of predefined actions. More...

#include <authorizer.hpp>

Inheritance diagram for mesos::Authorizer:
mesos::internal::LocalAuthorizer mesos::internal::tests::MockAuthorizer

Public Member Functions

virtual ~Authorizer ()
 
virtual process::Future< bool > authorized (const authorization::Request &request)=0
 Checks with the identity server back end whether request is allowed by the policies of the identity server, i.e. More...
 
virtual process::Future< std::shared_ptr< const ObjectApprover > > getApprover (const Option< authorization::Subject > &subject, const authorization::Action &action)=0
 Returns an ObjectApprover which can synchronously check authorization on an object. More...
 

Static Public Member Functions

static Try< Authorizer * > create (const std::string &name)
 Factory method used to create instances of authorizer which are loaded from the ModuleManager. More...
 
static Try< Authorizer * > create (const ACLs &acls)
 Factory method used to create instances of the default 'local' authorizer. More...
 

Protected Member Functions

 Authorizer ()
 

Detailed Description

This interface is used to enable an identity service or any other back end to check authorization policies for a set of predefined actions.

The authorized() method returns Future<bool>. If the action is allowed, the future is set to true, otherwise to false. A third possible outcome is that the future fails, which usually indicates that the back end could not be contacted or it does not understand the requested action. This may be a temporary condition.

A description of the behavior of the default implementation of this interface can be found in "docs/authorization.md".

See also
authorizer.proto

Constructor & Destructor Documentation

virtual mesos::Authorizer::~Authorizer ( )
inlinevirtual
mesos::Authorizer::Authorizer ( )
inlineprotected

Member Function Documentation

virtual process::Future<bool> mesos::Authorizer::authorized ( const authorization::Request &  request)
pure virtual

Checks with the identity server back end whether request is allowed by the policies of the identity server, i.e.

request.subject can perform request.action with request.object. For details on how the request is built and what its parts are, refer to "authorizer.proto".

Parameters
requestauthorization::Request instance packing all the parameters needed to verify whether a subject can perform a given action with an object.
Returns
true if the action is allowed, the future is set to true, otherwise false. A failed future indicates a problem processing the request, and it might be retried in the future.

Implemented in mesos::internal::LocalAuthorizer.

static Try<Authorizer*> mesos::Authorizer::create ( const std::string &  name)
static

Factory method used to create instances of authorizer which are loaded from the ModuleManager.

The parameters necessary to instantiate the authorizer are taken from the contents of the --modules flag.

Parameters
nameThe name of the module to be loaded as registered in the --modules flag.
Returns
An instance of Authorizer* if the module with the given name could be constructed. An error otherwise.
static Try<Authorizer*> mesos::Authorizer::create ( const ACLs &  acls)
static

Factory method used to create instances of the default 'local' authorizer.

Parameters
aclsThe access control lists used to initialize the 'local' authorizer.
Returns
An instance of the default 'local' authorizer.
virtual process::Future<std::shared_ptr<const ObjectApprover> > mesos::Authorizer::getApprover ( const Option< authorization::Subject > &  subject,
const authorization::Action &  action 
)
pure virtual

Returns an ObjectApprover which can synchronously check authorization on an object.

The returned ObjectApprover is valid throuhout its whole lifetime or the lifetime of the authorizer, whichever is smaller.

Calls to approved(...) method can return different values depending on the internal state maintained by the authorizer (which can change due to the need to keep ObjectApprover up-to-date).

Parameters
subjectauthorization::Subject subject for which the ObjectApprover should be created.
actionauthorization::Action action for which the ObjectApprover should be created.
Returns
An ObjectApprover for the given subject and action.

Implemented in mesos::internal::LocalAuthorizer.


The documentation for this class was generated from the following file: