[jira] [Commented] (MESOS-911) Add pluggable authorization interface

Thu, 06 Mar 2014 08:59:32 -0800 

    [ 
https://issues.apache.org/jira/browse/MESOS-911?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13922742#comment-13922742
 ] 

Vinod Kone commented on MESOS-911:
----------------------------------

Based on the discussion in https://reviews.apache.org/r/18730/ this is what I 
came up with. Let me know what you think.

message ACL {

  message GET_WWW {
    message Subject {
      enum Type {
        IP = 1;
        HOST = 2;
        ANYONE = 3;
        NONE = 4;
      }
      required Type type = 1;
      optional string id = 2; // Required for IP/HOST.
    }

    required Subject subject = 1;
    repeated string urls = 2;
  }

  message PUT_WWW {
    message Subject {
      enum Type {
        IP = 1;
        HOST = 2;
        ANYONE = 3;
        NONE = 4;
      }
      required Type type = 1;
      optional string id = 2; // Required for IP/HOST.
    }

    required Subject subject = 1;
    repeated string urls = 2;
  }

  message ALLOCATE_ROLE {
    message Subject {
      enum Type {
        PRINCIPAL = 1;
        ANYONE = 2;
        NONE = 3;
      }
      required Type type = 1;
      optional string id = 2; // Required for PRINCIPAL.
    }

    required Subject subject = 1;
    repeated string roles = 2;
  }

  message LAUNCH_USER {
    message Subject {
      enum Type {
        PRINCIPAL = 1;
        ANYONE = 2;
        NONE = 3;
      }
      required Type type = 1;
      optional string id = 2; // Required for PRINCIPAL.
    }

    required Subject subject = 1;
    repeated string users = 2;
  }

  repeated GET_WWW get_www = 1;
  repeated PUT_WWW put_www = 2;
  repeated ALLOCATE_ROLE allocate_role = 3;
  repeated LAUNCH_USER launch_user = 4;
}

I imagine we would have different overloads for Authorizer::authorize() as 
follows:

Authorizer::authorize(const ACL::GET_WWW& get_www);
Authorizer::authorize(const ACL::PUT_WWW& put_www);
Authorizer::authorize(const ACL::ALLOCATE_ROLE& allocate_role);
Authorizer::authorize(const ACL::LAUNCH_USER& launch_user);


Any suggestions for naming are also welcome. I particularly don't like the 
repeated fields at the bottom to have singular names. One option is:

  repeated GET_WWW gets = 1;
  repeated PUT_WWW puts = 2;
  repeated ALLOCATE_ROLE allocates = 3;
  repeated LAUNCH_USER launches = 4;


> Add pluggable authorization interface
> -------------------------------------
>
>                 Key: MESOS-911
>                 URL: https://issues.apache.org/jira/browse/MESOS-911
>             Project: Mesos
>          Issue Type: Story
>          Components: general
>            Reporter: Adam B
>            Assignee: Vinod Kone
>              Labels: security
>
> We are investigating authorizing principals to allow them access to only a 
> specific set of operations like launching tasks or using resources. In fact, 
> you could imagine a world where an authenticated principal will be authorized 
> to on behalf of a subset of users and roles for launching tasks and accepting 
> resources respectively. This authorization information could be stored in a 
> directory service like LDAP.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to