This interface represents a function object returned by the authorizer which can be used locally (and synchronously) to check whether a specific object is authorized. More...
#include <authorizer.hpp>
Classes | |
| struct | Object |
Public Member Functions | |
| virtual Try< bool > | approved (const Option< Object > &object) const noexcept=0 |
This method returns whether access to the specified object is authorized or not, or Error. More... | |
| virtual | ~ObjectApprover ()=default |
Detailed Description
This interface represents a function object returned by the authorizer which can be used locally (and synchronously) to check whether a specific object is authorized.
Authorizer implementations must ensure that ObjectApprover is valid throughout its lifetime (by updating the internal state of ObjectApprover if/when necessary). Components of Mesos side are allowed to store ObjectApprovers for long-lived authorization subjects indefinitely (as long as they have a potential need to authorize objects for corresponding subject-action pair) and can rely on ObjectApprover being valid at any time.
Constructor & Destructor Documentation
|
virtualdefault |
Member Function Documentation
|
pure virtualnoexcept |
This method returns whether access to the specified object is authorized or not, or Error.
The Error is returned in case of:
- transient authorization failures
- authorizer or underlying systems being in invalid state
- the
Objectprovided by Mesos is invalid
Note that this method is not idempotent; the result might change due to modifications of internal state of ObjectApprover performed by the authorizer to keep ObjectApprover valid.
For example, if the authorizer is backed by an external IAM, from which it fetches permissions, changing permissions for the authorization Subject in the IAM might result in the response changing from false to true for the same Object. Also, in this example, failure to keep permissions up-to-date due to malfunctions of the IAM/network will be reported as an Error being returned by this method until the permissions are updated successfully.
NOTE: As this method can be used synchronously by actors, it is essential that its implementation does not block. Specifically, calling blocking libprocess functions from this method can cause deadlock!
Implemented in mesos::AcceptingObjectApprover.
The documentation for this class was generated from the following file:
- include/mesos/authorizer/authorizer.hpp
