Apache Mesos
authorization.hpp
Go to the documentation of this file.
1 // Licensed to the Apache Software Foundation (ASF) under one
2 // or more contributor license agreements. See the NOTICE file
3 // distributed with this work for additional information
4 // regarding copyright ownership. The ASF licenses this file
5 // to you under the Apache License, Version 2.0 (the
6 // "License"); you may not use this file except in compliance
7 // with the License. You may obtain a copy of the License at
8 //
9 // http://www.apache.org/licenses/LICENSE-2.0
10 //
11 // Unless required by applicable law or agreed to in writing, software
12 // distributed under the License is distributed on an "AS IS" BASIS,
13 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 // See the License for the specific language governing permissions and
15 // limitations under the License.
16 
17 #ifndef __MASTER_AUTHORIZATION_HPP__
18 #define __MASTER_AUTHORIZATION_HPP__
19 
20 #include <ostream>
21 #include <string>
22 #include <vector>
23 
24 #include <stout/option.hpp>
25 #include <stout/try.hpp>
26 
27 #include <mesos/mesos.hpp>
28 #include <mesos/resources.hpp>
29 
30 #include <mesos/authorizer/authorizer.pb.h>
31 
32 namespace mesos {
33 namespace authorization {
34 
35 
36 class ActionObject
37 {
38 public:
39  Action action() const { return action_; }
40 
41  const Option<Object>& object() const& { return object_; }
42  Option<Object>&& object() && { return std::move(object_); }
43 
44  // Returns action-object pair for authorizing a task launch.
45  static ActionObject taskLaunch(
46  const TaskInfo& task,
47  const FrameworkInfo& framework);
48 
49  // Returns action-object pair for authorizing
50  // framework (re)registration or update.
51  static ActionObject frameworkRegistration(
52  const FrameworkInfo& frameworkInfo);
53 
54  // Returns action-object pair(s) for authorizing agent re(registration).
55  static std::vector<ActionObject> agentRegistration(
56  const SlaveInfo& slaveInfo);
57 
58  // Methods that return action-object pair(s) for authorizing
59  // offer operations other than LAUNCH/LAUNCH_GROUP.
60  //
61  // NOTE: these methods rely on the caller to ensure that operation
62  // resources are in post-reservation-refinement format.
63  // Otherwise, they may crash the program.
64 
65  static std::vector<ActionObject> unreserve(
66  const Offer::Operation::Unreserve& unreserve);
67 
68  static std::vector<ActionObject> reserve(
69  const Offer::Operation::Reserve& reserve);
70 
71  static std::vector<ActionObject> createVolume(
72  const Offer::Operation::Create& create);
73 
74  static std::vector<ActionObject> destroyVolume(
75  const Offer::Operation::Destroy& destroy);
76 
77  static ActionObject growVolume(
78  const Offer::Operation::GrowVolume& grow);
79 
80  static ActionObject shrinkVolume(
81  const Offer::Operation::ShrinkVolume& shrink);
82 
83  // Returns Error if disk type is not supported.
84  //
85  // TODO(asekretenko): Change return type to ActionObject after
86  // authorization of invalid operations no longer occurs (see MESOS-10083).
87  static Try<ActionObject> createDisk(
88  const Offer::Operation::CreateDisk& createDisk);
89 
90  // Returns Error if disk type is not supported.
91  //
92  // TODO(asekretenko): Change return type to ActionObject after
93  // authorization of invalid operations no longer occurs (see MESOS-10083).
94  static Try<ActionObject> destroyDisk(
95  const Offer::Operation::DestroyDisk& destroyDisk);
96 
97 private:
98  Action action_;
99  Option<Object> object_;
100 
101  ActionObject(Action action, Option<Object>&& object)
102  : action_(action), object_(object){};
103 
104  // Returns an action-object pair for the case that commonly
105  // occurs when authorizing non-LAUNCH operations: sets `action`,
106  // `object.resource` and `object.value`.
107  //
108  // NOTE: the deprecated `object.value` field is set to support legacy
109  // authorizers that have not been upgraded to look at `object.resource`.
110  static ActionObject fromResourceWithLegacyValue(
111  Action action,
112  const Resource& resource,
113  std::string value_);
114 
115  // Helper method for `reserve()`/`unreserve()`.
116  //
117  // For each resource reserved with a principal, pushes into `result` an
118  // ActionObject needed for unreserving it. If there are resources reserved
119  // without a principal, an UNRESERVE_RESOURCE for ANY object is also added
120  // (see MESOS-9562).
121  //
122  // NOTE: Since the UNRESERVE operation only "pops" one reservation off the
123  // stack of reservations, only principals of the most refined reservations
124  // (i.e. ones that will be unreserved) are used.
125  //
126  // NOTE: Currently, validation of RESERVE operations prevents creating
127  // reservation without a principal, so they should not exist in new
128  // clusters.
129  static void pushUnreserveActionObjects(
130  const Resources& resources,
131  std::vector<ActionObject>* result);
132 };
133 
134 // Outputs human-readable description of an ActionObject.
135 //
136 // NOTE: For more convenient use in authorization-related messages
137 // ("Authorizing principal 'baz' to launch task", "Forbidden to create disk...",
138 // and so on), the description starts with a verb.
139 //
140 // Output examples:
141 // - "launch task 123 of framework de-adbe-ef",
142 // - "perform action FOO_BAR on object '{task_info: ..., machine_id: ...}"
143 std::ostream& operator<<(
144  std::ostream& stream,
145  const ActionObject& actionObject);
146 
147 
148 } // namespace authorization {
149 } // namespace mesos {
150 
151 #endif // __MASTER_AUTHORIZATION_HPP__
Try
Definition: check.hpp:33
mesos::authorization::ActionObject::destroyDisk
static Try< ActionObject > destroyDisk(const Offer::Operation::DestroyDisk &destroyDisk)
mesos::authorization::ActionObject::reserve
static std::vector< ActionObject > reserve(const Offer::Operation::Reserve &reserve)
mesos::authorization::ActionObject::object
const Option< Object > & object() const &
Definition: authorization.hpp:41
mesos::Resources
Definition: resources.hpp:83
mesos::authorization::ActionObject
Definition: authorization.hpp:36
mesos::authorization::ActionObject::createDisk
static Try< ActionObject > createDisk(const Offer::Operation::CreateDisk &createDisk)
mesos::authorization::ActionObject::destroyVolume
static std::vector< ActionObject > destroyVolume(const Offer::Operation::Destroy &destroy)
mesos::authorization::ActionObject::unreserve
static std::vector< ActionObject > unreserve(const Offer::Operation::Unreserve &unreserve)
mesos::authorization::ActionObject::taskLaunch
static ActionObject taskLaunch(const TaskInfo &task, const FrameworkInfo &framework)
mesos
Definition: agent.hpp:25
mesos::authorization::ActionObject::frameworkRegistration
static ActionObject frameworkRegistration(const FrameworkInfo &frameworkInfo)
cgroups::destroy
process::Future< Nothing > destroy(const std::string &hierarchy, const std::string &cgroup="/")
mesos::authorization::ActionObject::agentRegistration
static std::vector< ActionObject > agentRegistration(const SlaveInfo &slaveInfo)
mesos::authorization::ActionObject::growVolume
static ActionObject growVolume(const Offer::Operation::GrowVolume &grow)
mesos::authorization::ActionObject::shrinkVolume
static ActionObject shrinkVolume(const Offer::Operation::ShrinkVolume &shrink)
mesos::authorization::operator<<
std::ostream & operator<<(std::ostream &stream, const ActionObject &actionObject)
mesos::authorization::ActionObject::createVolume
static std::vector< ActionObject > createVolume(const Offer::Operation::Create &create)
mesos::authorization::ActionObject::object
Option< Object > && object()&&
Definition: authorization.hpp:42
cgroups::create
Try< Nothing > create(const std::string &hierarchy, const std::string &cgroup, bool recursive=false)
mesos::authorization::ActionObject::action
Action action() const
Definition: authorization.hpp:39
Generated by   doxygen 1.8.11