@POST @Path("/abort") @Operation( summary = "Abort the Mesos scheduler", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void abort() { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); abort.abort(AbortReason.TEST_ABORT, Optional.<Throwable>absent()); }
public void checkAdminAuthorization(SingularityUser user) { if (authEnabled) { checkForbidden(user.isAuthenticated(), "Not Authenticated!"); if (!adminGroups.isEmpty()) { checkForbidden(groupsIntersect(user.getGroups(), adminGroups), "%s must be part of one or more admin groups: %s", user.getId(), JavaUtils.COMMA_JOINER.join(adminGroups)); } } }
@POST @Path("/stop") @Operation( summary = "Stop the Mesos scheduler subscriber", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void stop() throws Exception { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); managed.stop(); }
@POST @Path("/notleader") @Operation( summary = "Make this instanceo of Singularity believe it's lost leadership", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void setNotLeader() { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); managed.notLeader(); }
@POST @Path("/purge-history") @Operation( summary = "Run a history purge", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void runHistoryPurge() throws Exception { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); historyPurger.runActionOnPoll(); } }
@POST @Path("/leader") @Operation( summary = "Make this instance of Singularity believe it's elected leader", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void setLeader() { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); managed.isLeader(); }
@POST @Path("/start") @Operation( summary = "Start the Mesos scheduler driver", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void start() throws Exception { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); managed.start(); }
@POST @Path("/reconcile") @Operation( summary = "Start task reconciliation", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void startTaskReconciliation() throws Exception { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); taskReconciliation.startReconciliation(); }
public void checkForAuthorization(SingularityRequest request, SingularityUser user, SingularityAuthorizationScope scope) { if (!authEnabled) { return; } checkForbidden(user.isAuthenticated(), "Not authenticated!"); final Set<String> readWriteGroups = Sets.union(request.getGroup().asSet(), request.getReadWriteGroups().or(Collections.emptySet())); final Set<String> readOnlyGroups = request.getReadOnlyGroups().or(defaultReadOnlyGroups); checkForAuthorization(user, readWriteGroups, readOnlyGroups, scope, Optional.of(request.getId())); }
public void checkForAuthorization(SingularityUser user, Set<String> readWriteGroups, Set<String> readOnlyGroups, SingularityAuthorizationScope scope, Optional<String> requestId) { final Set<String> userGroups = user.getGroups(); final boolean userIsAdmin = !adminGroups.isEmpty() && groupsIntersect(userGroups, adminGroups); final boolean userIsJITA = !jitaGroups.isEmpty() && groupsIntersect(userGroups, jitaGroups); final boolean userIsReadWriteUser = readWriteGroups.isEmpty() || groupsIntersect(userGroups, readWriteGroups); final boolean userIsReadOnlyUser = groupsIntersect(userGroups, readOnlyGroups) || (!globalReadOnlyGroups.isEmpty() && groupsIntersect(userGroups, globalReadOnlyGroups)); final boolean userIsPartOfRequiredGroups = requiredGroups.isEmpty() || groupsIntersect(userGroups, requiredGroups); if (userIsAdmin) { return; // Admins Rule Everything Around Me } checkForbidden(userIsPartOfRequiredGroups, "%s must be a member of one or more required groups: %s", user.getId(), JavaUtils.COMMA_JOINER.join(requiredGroups)); if (scope == SingularityAuthorizationScope.READ) { checkForbidden(userIsReadOnlyUser || userIsReadWriteUser || userIsJITA, "%s must be a member of one or more groups to %s %s: %s", user.getId(), scope.name(), requestId, JavaUtils.COMMA_JOINER.join(Iterables.concat(readOnlyGroups, readWriteGroups, jitaGroups))); } else if (scope == SingularityAuthorizationScope.WRITE) { checkForbidden(userIsReadWriteUser || userIsJITA, "%s must be a member of one or more groups to %s %s: %s", user.getId(), scope.name(), requestId, JavaUtils.COMMA_JOINER.join(Iterables.concat(readWriteGroups, jitaGroups))); } else if (scope == SingularityAuthorizationScope.ADMIN) { checkForbidden(userIsAdmin, "%s must be a member of one or more groups to %s %s: %s", user.getId(), scope.name(), requestId, JavaUtils.COMMA_JOINER.join(adminGroups)); } }
public void checkUserInRequiredGroups(SingularityUser user) { if (authEnabled) { final Set<String> userGroups = user.getGroups(); final boolean userIsAdmin = !adminGroups.isEmpty() && groupsIntersect(userGroups, adminGroups); final boolean userIsPartOfRequiredGroups = requiredGroups.isEmpty() || groupsIntersect(userGroups, requiredGroups); if (!userIsAdmin) { checkForbidden( userIsPartOfRequiredGroups, "%s must be part of one or more read only or jita groups: %s,%s", user.getId(), JavaUtils.COMMA_JOINER.join(requiredGroups)); } } }
@POST @Path("/scheduler/statusUpdate/{taskId}/{taskState}") @Operation( summary = "Force an update for a specific task", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void statusUpdate(@PathParam("taskId") String taskId, @PathParam("taskState") String taskState) { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); scheduler.statusUpdate(TaskStatus.newBuilder() .setTaskId(TaskID.newBuilder().setValue(taskId)) .setState(TaskState.valueOf(taskState)) .build()).join(); }
public void checkForAuthorizationByTaskId(String taskId, SingularityUser user, SingularityAuthorizationScope scope) { if (authEnabled) { checkForbidden(user.isAuthenticated(), "Not Authenticated!"); try { final SingularityTaskId taskIdObj = SingularityTaskId.valueOf(taskId); final Optional<SingularityRequestWithState> maybeRequest = requestManager.getRequest(taskIdObj.getRequestId()); if (maybeRequest.isPresent()) { checkForAuthorization(maybeRequest.get().getRequest(), user, scope); } } catch (InvalidSingularityTaskIdException e) { badRequest(e.getMessage()); } } }
public void checkReadAuthorization(SingularityUser user) { if (authEnabled) { checkForbidden(user.isAuthenticated(), "Not Authenticated!"); if (!adminGroups.isEmpty()) { final Set<String> userGroups = user.getGroups(); final boolean userIsAdmin = !adminGroups.isEmpty() && groupsIntersect(userGroups, adminGroups); final boolean userIsJITA = !jitaGroups.isEmpty() && groupsIntersect(userGroups, jitaGroups); final boolean userIsReadOnlyUser = !globalReadOnlyGroups.isEmpty() && groupsIntersect(userGroups, globalReadOnlyGroups); final boolean userIsPartOfRequiredGroups = requiredGroups.isEmpty() || groupsIntersect(userGroups, requiredGroups); if (!userIsAdmin) { checkForbidden( (userIsJITA || userIsReadOnlyUser) && userIsPartOfRequiredGroups, "%s must be part of one or more read only or jita groups: %s,%s", user.getId(), JavaUtils.COMMA_JOINER.join(jitaGroups), JavaUtils.COMMA_JOINER.join(globalReadOnlyGroups)); } } } }
public void checkForAuthorizedChanges(SingularityRequest request, SingularityRequest oldRequest, SingularityUser user) { if (!authEnabled) { return; } checkForbidden(user.isAuthenticated(), "Not Authenticated!"); if (!oldRequest.getReadWriteGroups().equals(request.getReadWriteGroups()) || !oldRequest.getGroup().equals(request.getGroup())) { // If group or readWriteGroups are changing, a user must be authorized for both the old and new request groups checkForAuthorization(oldRequest, user, SingularityAuthorizationScope.WRITE); checkForAuthorization(request, user, SingularityAuthorizationScope.WRITE); } }
public void checkAdminAuthorization(SingularityUser user) { if (authEnabled) { checkForbidden(user.isAuthenticated(), "Not Authenticated!"); if (!adminGroups.isEmpty()) { checkForbidden(groupsIntersect(user.getGroups(), adminGroups), "%s must be part of one or more admin groups: %s", user.getId(), JavaUtils.COMMA_JOINER.join(adminGroups)); } } }
@POST @Path("/stop") @Operation( summary = "Stop the Mesos scheduler subscriber", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void stop() throws Exception { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); managed.stop(); }
@POST @Path("/reconcile") @Operation( summary = "Start task reconciliation", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void startTaskReconciliation() throws Exception { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); taskReconciliation.startReconciliation(); }
@POST @Path("/notleader") @Operation( summary = "Make this instanceo of Singularity believe it's lost leadership", responses = { @ApiResponse(responseCode = "403", description = "Test resource calls are currently not enabled, set `allowTestResourceCalls` to `true` in config yaml to enable") } ) public void setNotLeader() { checkForbidden(configuration.isAllowTestResourceCalls(), "Test resource calls are disabled (set isAllowTestResourceCalls to true in configuration)"); managed.notLeader(); }
public void checkForAuthorization(SingularityRequest request, SingularityUser user, SingularityAuthorizationScope scope) { if (!authEnabled) { return; } checkForbidden(user.isAuthenticated(), "Not authenticated!"); final Set<String> readWriteGroups = Sets.union(request.getGroup().asSet(), request.getReadWriteGroups().or(Collections.emptySet())); final Set<String> readOnlyGroups = request.getReadOnlyGroups().or(defaultReadOnlyGroups); checkForAuthorization(user, readWriteGroups, readOnlyGroups, scope, Optional.of(request.getId())); }