[
https://issues.apache.org/jira/browse/MESOS-418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13806477#comment-13806477
]
David WEI commented on MESOS-418:
---------------------------------
Hi, my name is David. I'd like to do sth for this open source project.
I am an experienced software engineer working on network security in Bay Area.
Here are my draft about general use cases, the main idea is to add into Mesos a
cyrus-sasl client which will send the authentication info to security server
to get verification.
Your comments or updates are welcome.
General use cases/test cases
1, Mesos users(framework application) or slaves register(i.e. name and
password) to security server. This may be integrated into central secruity
management which is outside of Mesos. In the unit tests, we may use open source
SASL server, such as cyrus-sasl2 in Ubuntu.
2, When Mesos Master gets framework application or slave register(resource
allocation)request, based on security setting of Mesos, there are following
cases
1) Anonymous allowed and no authentication info in the request. This is
compatible with current implementation.
2) Authentication support. Extract authentication info from the request, and
send to configured security
server by Cyrus SASL interface. If get successful authentication, then continue
to do framework or slave register ,else reject the register request.
Note: Considering the performance impact introduced by the delay of this
authentication request and response communication,
one option is to present a local authenticated user table in Master node. It
works as a cache. For each authentication, the local table will be looked up
firstly, if not found, then communicate with security server. After get
successful authentication, the user authid and a timestamp is inserted into the
local table. Then within a configured period(i.e. 24 hours), the following
register request from this user will get permit from local table.
For the Master failure recovery, the local table will be re-buit on the
received re-register requests.
> Add security and authentication support to Mesos (including integration with
> LDAP).
> -----------------------------------------------------------------------------------
>
> Key: MESOS-418
> URL: https://issues.apache.org/jira/browse/MESOS-418
> Project: Mesos
> Issue Type: Story
> Reporter: Vinod Kone
> Assignee: Ilim Ugur
> Labels: c++, cloud, gsoc, gsoc2013, mentor
>
> The basic idea behind the proposal, is to add authorization/authentication
> support to Mesos. For example, Mesos should only allow authenticated
> frameworks to register and submit jobs. The plan is to leverage Kerberos/LDAP
> to add this support. We are also open to suggestions on how we can add
> support for security and auth in Mesos.
> Knowledge Prerequisite: C++
--
This message was sent by Atlassian JIRA
(v6.1#6144)
