Created
December 18, 2015 21:50
-
-
Save neilconway/b6dc7a3b6eb84f187923 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/src/master/http.cpp b/src/master/http.cpp | |
index 6eea545..4cc11e4 100644 | |
--- a/src/master/http.cpp | |
+++ b/src/master/http.cpp | |
@@ -997,14 +997,6 @@ Future<Response> Master::Http::reserve(const Request& request) const | |
"Error in parsing 'resources' query parameter: " + resource.error()); | |
} | |
- // Check that the role is on the role whitelist, if it exists. | |
- if (resource.get().has_role()) { | |
- const string& role = resource.get().role(); | |
- if (!master->isWhitelistedRole(role)) { | |
- return BadRequest("Unknown role: '" + role + "'"); | |
- } | |
- } | |
- | |
resources += resource.get(); | |
} | |
@@ -1017,7 +1009,7 @@ Future<Response> Master::Http::reserve(const Request& request) const | |
credential.isSome() ? credential.get().principal() : Option<string>::none(); | |
Option<Error> error = validation::operation::validate( | |
- operation.reserve(), None(), principal); | |
+ operation.reserve(), None(), principal, master); | |
if (error.isSome()) { | |
return BadRequest("Invalid RESERVE operation: " + error.get().message); | |
diff --git a/src/master/master.cpp b/src/master/master.cpp | |
index 1243ad9..0cb385b 100644 | |
--- a/src/master/master.cpp | |
+++ b/src/master/master.cpp | |
@@ -3250,7 +3250,7 @@ void Master::_accept( | |
// Make sure this reserve operation is valid. | |
Option<Error> error = validation::operation::validate( | |
- operation.reserve(), framework->info.role(), principal); | |
+ operation.reserve(), framework->info.role(), principal, this); | |
if (error.isSome()) { | |
drop(framework, operation, error.get().message); | |
diff --git a/src/master/master.hpp b/src/master/master.hpp | |
index 55c8e76..050a633 100644 | |
--- a/src/master/master.hpp | |
+++ b/src/master/master.hpp | |
@@ -544,6 +544,15 @@ public: | |
return info_; | |
} | |
+ /** | |
+ * Returns whether the given role is on the whitelist. | |
+ * | |
+ * When using explicit roles, this consults the configured (static) | |
+ * role whitelist. When using implicit roles, any role is allowed | |
+ * (and access control is done via ACLs). | |
+ */ | |
+ bool isWhitelistedRole(const std::string& name); | |
+ | |
protected: | |
virtual void initialize(); | |
virtual void finalize(); | |
@@ -919,15 +928,6 @@ private: | |
} | |
/** | |
- * Returns whether the given role is on the whitelist. | |
- * | |
- * When using explicit roles, this consults the configured (static) | |
- * role whitelist. When using implicit roles, any role is allowed | |
- * (and access control is done via ACLs). | |
- */ | |
- bool isWhitelistedRole(const std::string& name); | |
- | |
- /** | |
* Inner class used to namespace the handling of quota requests. | |
* | |
* It operates inside the Master actor. It is responsible for validating | |
diff --git a/src/master/validation.cpp b/src/master/validation.cpp | |
index 6a43bce..60c685d 100644 | |
--- a/src/master/validation.cpp | |
+++ b/src/master/validation.cpp | |
@@ -670,7 +670,8 @@ namespace operation { | |
Option<Error> validate( | |
const Offer::Operation::Reserve& reserve, | |
const Option<string>& role, | |
- const Option<string>& principal) | |
+ const Option<string>& principal, | |
+ Master* master) | |
{ | |
Option<Error> error = resource::validate(reserve.resources()); | |
if (error.isSome()) { | |
@@ -693,6 +694,11 @@ Option<Error> validate( | |
"' does not match the framework's role '" + role.get() + "'"); | |
} | |
+ if (!master->isWhitelistedRole(resource.role())) { | |
+ return Error( | |
+ "The reserved resource's role '" + resource.role() + "' is unknown"); | |
+ } | |
+ | |
if (resource.reservation().principal() != principal.get()) { | |
return Error( | |
"The reserved resource's principal '" + | |
diff --git a/src/master/validation.hpp b/src/master/validation.hpp | |
index 380b402..8870221 100644 | |
--- a/src/master/validation.hpp | |
+++ b/src/master/validation.hpp | |
@@ -106,7 +106,8 @@ namespace operation { | |
Option<Error> validate( | |
const Offer::Operation::Reserve& reserve, | |
const Option<std::string>& role, | |
- const Option<std::string>& principal); | |
+ const Option<std::string>& principal, | |
+ Master* master); | |
// Validates the UNRESERVE operation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment