mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Mann <g...@mesosphere.io>
Subject Re: Review Request 61171: Enabled filtering of the 'GET_AGENTS' v1 API call.
Date Fri, 28 Jul 2017 00:24:17 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61171/#review181618
-----------------------------------------------------------



Looking good; one small comment below to consider.

We should definitely add a test case for this as well.


src/master/http.cpp
Lines 2518-2520 (original), 2553-2555 (patched)
<https://reviews.apache.org/r/61171/#comment257219>

    What about authorizing this field? It doesn't include dynamic reservation information,
but there could be statically reserved resources with role information in `SlaveInfo`. I haven't
verified that the recovered agents field does print the roles of static reservations, but
it looks to me like it would?


- Greg Mann


On July 27, 2017, 7:48 a.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61171/
> -----------------------------------------------------------
> 
> (Updated July 27, 2017, 7:48 a.m.)
> 
> 
> Review request for mesos, Adam B, Greg Mann, Quinn Leng, and Till Toenshoff.
> 
> 
> Bugs: MESOS-7416
>     https://issues.apache.org/jira/browse/MESOS-7416
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Enables filtering of the results of calls to the 'GET_AGENTS' v1
> API. It filters the contents of different resources entries based
> on the 'VIEW_ROLE' permissions of the principal doing the request
> based on resource roles, allocation roles and reservations.
> 
> 
> Diffs
> -----
> 
>   src/common/protobuf_utils.hpp 2156f6d158bfee16d29aa3531bdd156af581df01 
>   src/common/protobuf_utils.cpp 4e5ab02c90ad8490efbcc471f7fd7c48be0c4678 
>   src/master/http.cpp 9df086c417a9392f62d600c7a6486be0a1cf7e70 
>   src/master/master.hpp 84465af782d4024f22463d981ef9d0ef7827d043 
> 
> 
> Diff: https://reviews.apache.org/r/61171/diff/2/
> 
> 
> Testing
> -------
> 
> ```shell
> mkdir -p /tmp/mesos/master
> mkdir -p /tmp/mesos/agent
> 
> # Create credentials
> cat <<EOF > /tmp/mesos/credentials.txt
> hal-9000 dave
> glados potato
> skynet connor
> EOF
> 
> # Create ACLs
> cat <<EOF > /tmp/mesos/acls.json
> {
>   "permissive": true,
>   "view_roles" : [
>    {
>      "principals" : { "type" : "ANY" },
>      "roles" : { "values" : ["*"] }
>    },
>    {
>      "principals" : { "values" : ["hal-9000"] },
>      "roles" : { "values" : ["space-odyssey"] }
>    },
>    {
>      "principals" : { "values" : ["hal-9000"] },
>      "roles" : { "type" : "NONE" }
>    },
>    {
>      "principals" : { "values" : ["glados"] },
>      "roles" : { "values" : ["portal"] }
>    },
>    {
>      "principals" : { "values" : ["glados"] },
>      "roles" : { "type" : "NONE" }
>    },
>    {
>      "principals" : { "values" : ["skynet"] },
>      "roles" : { "values" : ["terminator"] }
>    },
>    {
>      "principals" : { "values" : ["skynet"] },
>      "roles" : { "type" : "NONE" }
>    }
>   ]
> }
> EOF
> 
> # Launch Master with some predefined roles.
> ./bin/mesos-master.sh \
>     --work_dir=/tmp/mesos/master \
>     --log_dir=/tmp/mesos/master/log \
>     --authenticate_http \
>     --credentials=/tmp/mesos/credentials.txt \
>     --authenticate_http_frameworks \
>     --http_framework_authenticators=basic \
>     --http_authenticators=basic \
>     --authenticate_http_readonly \
>     --acls=/tmp/mesos/acls.json \
>     --roles="space-odyssey,portal,terminator" &
>     
> # Launch Agent with static reservations for all roles.
> sudo ./bin/mesos-agent.sh \
>     --master=127.0.0.1:5050 \
>     --work_dir=/tmp/mesos/agent \
>     --authenticate_http_readwrite \
>     --http_authenticators=basic \
>     --http_credentials=/tmp/mesos/credentials.txt \
>     --acls=/tmp/mesos/acls.json \
>     --resources='cpus(space-odyssey):2;cpus(portal):2;cpus(*):4;mem(space-odyssey):250;mem(portal):250;mem(*):10360;ports(space-odyssey):[31000-32000];ports(portal):[32001-33000];ports(*):[33001-35000];disk(space-odyssey):250;disk(portal):250;disk(*):1000'
&
>     
> # Launch test framework.
> ./src/mesos-execute \
>     --master=127.0.0.1:5050 \
>     --command='while true; do echo "Hello World"; sleep 5; done;' \
>     --resources="cpus:1;mem:128;disk:32;ports:[31002-31003]" \
>     --role=space-odyssey \
>     --name=hello-discovery \
>     --principal=hal-9000 \
>     --secret=dave &
>     
> # Create a dynamic reservation.    
> cat > /tmp/resources.json <<EOM
> [
>   {
>     "name": "cpus",
>     "type": "SCALAR",
>     "scalar": { "value": 2 },
>     "role": "terminator",
>     "reservation": {
>       "principal": "skynet"
>     }
>   },
>   {
>     "name": "mem",
>     "type": "SCALAR",
>     "scalar": { "value": 250 },
>     "role": "terminator",
>     "reservation": {
>       "principal": "skynet"
>     }
>   },
>   {
>     "name": "disk",
>     "type": "SCALAR",
>     "scalar": { "value": 250 },
>     "role": "terminator",
>     "reservation": {
>       "principal": "skynet"
>     }
>   },
>   {
>     "name": "ports",
>     "type": "RANGES",
>     "ranges": {
>       "range": [
>         { 
>           "begin": 33001,
>           "end": 34000
>         }
>       ]
>     },
>     "role": "terminator",
>     "reservation": {
>       "principal": "skynet"
>     }
>   }
> ]
> EOM
> 
> http \
>     -a skynet:connor \
>     -f POST \
>     127.0.0.1:5050/master/reserve \
>     slaveId=${SLAVE_ID} \
>     resources=@/tmp/resources.json
>     
>     
> # Create some quota.
> cat > /tmp/quota.json <<EOM
> {
>   "role": "portal",
>   "guarantee": [
>     {
>       "name": "cpus",
>       "type": "SCALAR",
>       "scalar": { "value": 2 }
>     },
>     {
>       "name": "mem",
>       "type": "SCALAR",
>       "scalar": { "value": 250 }
>     },
>     {
>       "name": "disk",
>       "type": "SCALAR",
>       "scalar": { "value": 250 }
>     }
>   ]
> }
> EOM
> 
> http \
>     -a glados:potato \
>     POST \
>     127.0.0.1:5050/master/quota \
>     @/tmp/quota.json
>     
>     
> # Query the master with all users and check
> # that only the information of his role is
> # available.
> http -a glados:potato -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS
> 
> http -a skynet:connor -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS
> 
> http -a hal-9000:dave -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS
> ```
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message