Skip to content

Instantly share code, notes, and snippets.

@neilconway
Created December 18, 2015 21:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save neilconway/b6dc7a3b6eb84f187923 to your computer and use it in GitHub Desktop.
Save neilconway/b6dc7a3b6eb84f187923 to your computer and use it in GitHub Desktop.
diff --git a/src/master/http.cpp b/src/master/http.cpp
index 6eea545..4cc11e4 100644
--- a/src/master/http.cpp
+++ b/src/master/http.cpp
@@ -997,14 +997,6 @@ Future<Response> Master::Http::reserve(const Request& request) const
"Error in parsing 'resources' query parameter: " + resource.error());
}
- // Check that the role is on the role whitelist, if it exists.
- if (resource.get().has_role()) {
- const string& role = resource.get().role();
- if (!master->isWhitelistedRole(role)) {
- return BadRequest("Unknown role: '" + role + "'");
- }
- }
-
resources += resource.get();
}
@@ -1017,7 +1009,7 @@ Future<Response> Master::Http::reserve(const Request& request) const
credential.isSome() ? credential.get().principal() : Option<string>::none();
Option<Error> error = validation::operation::validate(
- operation.reserve(), None(), principal);
+ operation.reserve(), None(), principal, master);
if (error.isSome()) {
return BadRequest("Invalid RESERVE operation: " + error.get().message);
diff --git a/src/master/master.cpp b/src/master/master.cpp
index 1243ad9..0cb385b 100644
--- a/src/master/master.cpp
+++ b/src/master/master.cpp
@@ -3250,7 +3250,7 @@ void Master::_accept(
// Make sure this reserve operation is valid.
Option<Error> error = validation::operation::validate(
- operation.reserve(), framework->info.role(), principal);
+ operation.reserve(), framework->info.role(), principal, this);
if (error.isSome()) {
drop(framework, operation, error.get().message);
diff --git a/src/master/master.hpp b/src/master/master.hpp
index 55c8e76..050a633 100644
--- a/src/master/master.hpp
+++ b/src/master/master.hpp
@@ -544,6 +544,15 @@ public:
return info_;
}
+ /**
+ * Returns whether the given role is on the whitelist.
+ *
+ * When using explicit roles, this consults the configured (static)
+ * role whitelist. When using implicit roles, any role is allowed
+ * (and access control is done via ACLs).
+ */
+ bool isWhitelistedRole(const std::string& name);
+
protected:
virtual void initialize();
virtual void finalize();
@@ -919,15 +928,6 @@ private:
}
/**
- * Returns whether the given role is on the whitelist.
- *
- * When using explicit roles, this consults the configured (static)
- * role whitelist. When using implicit roles, any role is allowed
- * (and access control is done via ACLs).
- */
- bool isWhitelistedRole(const std::string& name);
-
- /**
* Inner class used to namespace the handling of quota requests.
*
* It operates inside the Master actor. It is responsible for validating
diff --git a/src/master/validation.cpp b/src/master/validation.cpp
index 6a43bce..60c685d 100644
--- a/src/master/validation.cpp
+++ b/src/master/validation.cpp
@@ -670,7 +670,8 @@ namespace operation {
Option<Error> validate(
const Offer::Operation::Reserve& reserve,
const Option<string>& role,
- const Option<string>& principal)
+ const Option<string>& principal,
+ Master* master)
{
Option<Error> error = resource::validate(reserve.resources());
if (error.isSome()) {
@@ -693,6 +694,11 @@ Option<Error> validate(
"' does not match the framework's role '" + role.get() + "'");
}
+ if (!master->isWhitelistedRole(resource.role())) {
+ return Error(
+ "The reserved resource's role '" + resource.role() + "' is unknown");
+ }
+
if (resource.reservation().principal() != principal.get()) {
return Error(
"The reserved resource's principal '" +
diff --git a/src/master/validation.hpp b/src/master/validation.hpp
index 380b402..8870221 100644
--- a/src/master/validation.hpp
+++ b/src/master/validation.hpp
@@ -106,7 +106,8 @@ namespace operation {
Option<Error> validate(
const Offer::Operation::Reserve& reserve,
const Option<std::string>& role,
- const Option<std::string>& principal);
+ const Option<std::string>& principal,
+ Master* master);
// Validates the UNRESERVE operation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment