mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Mann <g...@mesosphere.io>
Subject Re: Review Request 61171: Enabled filtering of the 'GET_AGENTS' v1 API call.
Date Wed, 02 Aug 2017 04:46:11 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61171/#review181926
-----------------------------------------------------------




src/common/http.hpp
Lines 274-275 (patched)
<https://reviews.apache.org/r/61171/#comment257744>

    Maybe:
    
    "Authorizes resources using the provided acceptor. Accepts resources in both the pre-
and post-reservation-refinement formats."



src/common/http.cpp
Lines 984 (patched)
<https://reviews.apache.org/r/61171/#comment257745>

    Are you sure that this will hold for all recovered agents? What about an agent with statically-reserved
resources?



src/common/http.cpp
Lines 985 (patched)
<https://reviews.apache.org/r/61171/#comment257748>

    What about recovered agents which have provided dynamically-reserved resources upon reregistration?
Would they have resources with the `reservation` and `role` fields set?



src/master/http.cpp
Line 811 (original), 818 (patched)
<https://reviews.apache.org/r/61171/#comment257749>

    Not indented enough.



src/master/http.cpp
Lines 2529 (patched)
<https://reviews.apache.org/r/61171/#comment257751>

    Not indented enough.



src/tests/api_tests.cpp
Lines 1701-1702 (patched)
<https://reviews.apache.org/r/61171/#comment257767>

    s/assigned to/which are unreserved or reserved for/



src/tests/api_tests.cpp
Lines 1727 (patched)
<https://reviews.apache.org/r/61171/#comment257766>

    Hmmm I'm a bit confused by this expectation. The default credential should also be able
to view unreserved resources, and I thought that we expect the unreserved `SlaveInfo.resources`
to have `role == "*"`?



src/tests/api_tests.cpp
Lines 1739-1760 (patched)
<https://reviews.apache.org/r/61171/#comment257768>

    This code still doesn't assert that the resources reserved for 'superhero' role _do_ in
fact appear in the response, does it?
    
    i.e., if this response contained no role information at all (like the response for principal
2), these expectations would still pass, right?


- Greg Mann


On Aug. 1, 2017, 2:24 p.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61171/
> -----------------------------------------------------------
> 
> (Updated Aug. 1, 2017, 2:24 p.m.)
> 
> 
> Review request for mesos, Adam B, Greg Mann, Quinn Leng, and Till Toenshoff.
> 
> 
> Bugs: MESOS-7416
>     https://issues.apache.org/jira/browse/MESOS-7416
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Enables filtering of the results of calls to the 'GET_AGENTS' v1
> API. It filters the contents of different resources entries based
> on the 'VIEW_ROLE' permissions of the principal doing the request
> based on resource roles, allocation roles and reservations.
> 
> 
> Diffs
> -----
> 
>   src/common/http.hpp ba8dda18a02f51d1a28e719f06ee4b51573dfbec 
>   src/common/http.cpp dfd5f335e8a3745d047d4f9f5e8c821b2c22da5a 
>   src/common/protobuf_utils.hpp 80d2edd452f3ffa38c40f9a21f8489799065c401 
>   src/common/protobuf_utils.cpp 49d3a229925f4aa107e3e5f762936c16318aeadb 
>   src/master/http.cpp 9df086c417a9392f62d600c7a6486be0a1cf7e70 
>   src/master/master.hpp 84465af782d4024f22463d981ef9d0ef7827d043 
>   src/tests/api_tests.cpp 1d5b080c809248bdf4c76ddad382d714692c804b 
> 
> 
> Diff: https://reviews.apache.org/r/61171/diff/5/
> 
> 
> Testing
> -------
> 
> ```shell
> make check
> ```
> 
> Manual test:
> 
> ```shell
> mkdir -p /tmp/mesos/master
> mkdir -p /tmp/mesos/agent
> 
> # Create credentials
> cat <<EOF > /tmp/mesos/credentials.txt
> hal-9000 dave
> glados potato
> skynet connor
> EOF
> 
> # Create ACLs
> cat <<EOF > /tmp/mesos/acls.json
> {
>   "permissive": true,
>   "view_roles" : [
>    {
>      "principals" : { "type" : "ANY" },
>      "roles" : { "values" : ["*"] }
>    },
>    {
>      "principals" : { "values" : ["hal-9000"] },
>      "roles" : { "values" : ["space-odyssey"] }
>    },
>    {
>      "principals" : { "values" : ["hal-9000"] },
>      "roles" : { "type" : "NONE" }
>    },
>    {
>      "principals" : { "values" : ["glados"] },
>      "roles" : { "values" : ["portal"] }
>    },
>    {
>      "principals" : { "values" : ["glados"] },
>      "roles" : { "type" : "NONE" }
>    },
>    {
>      "principals" : { "values" : ["skynet"] },
>      "roles" : { "values" : ["terminator"] }
>    },
>    {
>      "principals" : { "values" : ["skynet"] },
>      "roles" : { "type" : "NONE" }
>    }
>   ]
> }
> EOF
> 
> # Launch Master with some predefined roles.
> ./bin/mesos-master.sh \
>     --work_dir=/tmp/mesos/master \
>     --log_dir=/tmp/mesos/master/log \
>     --authenticate_http \
>     --credentials=/tmp/mesos/credentials.txt \
>     --authenticate_http_frameworks \
>     --http_framework_authenticators=basic \
>     --http_authenticators=basic \
>     --authenticate_http_readonly \
>     --acls=/tmp/mesos/acls.json \
>     --roles="space-odyssey,portal,terminator" &
>     
> # Launch Agent with static reservations for all roles.
> sudo ./bin/mesos-agent.sh \
>     --master=127.0.0.1:5050 \
>     --work_dir=/tmp/mesos/agent \
>     --authenticate_http_readwrite \
>     --http_authenticators=basic \
>     --http_credentials=/tmp/mesos/credentials.txt \
>     --acls=/tmp/mesos/acls.json \
>     --resources='cpus(space-odyssey):2;cpus(portal):2;cpus(*):4;mem(space-odyssey):250;mem(portal):250;mem(*):10360;ports(space-odyssey):[31000-32000];ports(portal):[32001-33000];ports(*):[33001-35000];disk(space-odyssey):250;disk(portal):250;disk(*):1000'
&
>     
> # Launch test framework.
> ./src/mesos-execute \
>     --master=127.0.0.1:5050 \
>     --command='while true; do echo "Hello World"; sleep 5; done;' \
>     --resources="cpus:1;mem:128;disk:32;ports:[31002-31003]" \
>     --role=space-odyssey \
>     --name=hello-discovery \
>     --principal=hal-9000 \
>     --secret=dave &
>     
> # Create a dynamic reservation.    
> cat > /tmp/resources.json <<EOM
> [
>   {
>     "name": "cpus",
>     "type": "SCALAR",
>     "scalar": { "value": 2 },
>     "role": "terminator",
>     "reservation": {
>       "principal": "skynet"
>     }
>   },
>   {
>     "name": "mem",
>     "type": "SCALAR",
>     "scalar": { "value": 250 },
>     "role": "terminator",
>     "reservation": {
>       "principal": "skynet"
>     }
>   },
>   {
>     "name": "disk",
>     "type": "SCALAR",
>     "scalar": { "value": 250 },
>     "role": "terminator",
>     "reservation": {
>       "principal": "skynet"
>     }
>   },
>   {
>     "name": "ports",
>     "type": "RANGES",
>     "ranges": {
>       "range": [
>         { 
>           "begin": 33001,
>           "end": 34000
>         }
>       ]
>     },
>     "role": "terminator",
>     "reservation": {
>       "principal": "skynet"
>     }
>   }
> ]
> EOM
> 
> http \
>     -a skynet:connor \
>     -f POST \
>     127.0.0.1:5050/master/reserve \
>     slaveId=${SLAVE_ID} \
>     resources=@/tmp/resources.json
>     
>     
> # Create some quota.
> cat > /tmp/quota.json <<EOM
> {
>   "role": "portal",
>   "guarantee": [
>     {
>       "name": "cpus",
>       "type": "SCALAR",
>       "scalar": { "value": 2 }
>     },
>     {
>       "name": "mem",
>       "type": "SCALAR",
>       "scalar": { "value": 250 }
>     },
>     {
>       "name": "disk",
>       "type": "SCALAR",
>       "scalar": { "value": 250 }
>     }
>   ]
> }
> EOM
> 
> http \
>     -a glados:potato \
>     POST \
>     127.0.0.1:5050/master/quota \
>     @/tmp/quota.json
>     
>     
> # Query the master with all users and check
> # that only the information of his role is
> # available.
> http -a glados:potato -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS
> 
> http -a skynet:connor -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS
> 
> http -a hal-9000:dave -v -j -f POST 127.0.0.1:5050/api/v1 type=GET_AGENTS
> ```
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message