On Tue, Sep 9, 2014 at 5:04 PM, Jay Buffington <[email protected]> wrote:
> Hi All, > > I've had a few conversations offline with mesos contributors regarding > authorization and authentication. I'd like to solicit the larger > community for > comments. > > I want to create groups of people and allow those groups to only launch > tasks > as certain unix users. Commonly, this unix user is a service user which > has a > 1:1 relationship to a group. > > Mesos "users" are frameworks. Using the framework authorization features > that > were introduced in 0.20.0 frameworks can be authorized to run tasks as > certain > unix users. Mesos delegates the question of what people can launch a task > as > what service users to the framework. > I think with the present (0.20.0) implementation of this feature that's not possible without running a framework per (*nix) user, which doesn't work well (in the case of Aurora at least) since the scheduler needs to be able to prioritize tasks across different users. But it's still a valuable feature in that it lets you isolate frameworks from each other (no risk my Jenkins framework will launch tasks as my ads user). > > I don't want to have to trust that two frameworks will enforce a consistent > view of authorization. From a security standpoint this transitive trust > significantly raises the auditing burden. What happens when one framework > thinks jaybuff is in the ads group, but the other framework says he is not? As the system exists today that's either a bug in one of the frameworks or a general distributed computing problem (maybe one framework saw an LDAP update adding or removing jaybuff to or from the ads group and the other hasn't yet).
