Hi everyone,
The current mesos::Authorizer API has one method for each of the actions
supported (Register Framework, Launch Task and Shutdown Framework), and each of
these actions define the objects on which they operate.
Currently, if the Authorizer needs to be extended by adding a new action, it is
necessary to modify the mesos::Authorizer interface and all its implementations
(currently only mesos::LocalAuthorizer), and add a new nested message to the
ACL
message in mesos.proto.
I want to propose a new version of the mesos::Authorizer interface which allows
implementations to offer any set of custom actions. It also hides implementation
details of how authorization is performed with the goal to allow for different
authorization backends.
The updated interface will look then like this:
class Authorizer {
public:
virtual ~Authorizer() {}
virtual process::Future<bool> authorize(
const Option<Principal>& principal,
const Action& action,
const Option<Object>& object) = 0;
protected:
Authorizer() {}
};
Where Principal, Action and Object are protocol buffer generated objects defined
as:
message Principal {
required string value = 1;
repeated Parameter attributes = 2;
}
message Action {
required string value = 1;
repeated Parameter attributes = 2;
}
message Object {
required string value = 1;
repeated Parameter attributes = 2;
}
The full text of the proposal can be found at
https://docs.google.com/document/d/1-XARWJFUq0r_TgRHz_472NvLZNjbqE4G8c2JL44OSMQ/edit
Note that Mesos users which defined ACLs through the --acls flags should not
notice any change in behavior after the change.
We’d love to get people’s feedback so we can move forward!
Thanks,
Alexander Rojas
