Honestly, I don't think those two features are conflict, so I re-raise this into dev@list.
And regarding the n possibility/RoleManager plugin, there's also a user case that customer would like to load security info from 3rd part application as role info, e.g. LDAP, and framework can not modify them; cluster admin can modify weight & quota as resource plan. How implicit role/dynamic role handle such case? ---- Da (Klaus), Ma (马达) | PMP® | Advisory Software Engineer Platform Symphony/DCOS Development & Support, STG, IBM GCG +86-10-8245 4084 | klaus1982...@gmail.com | http://k82.me On Tue, Dec 1, 2015 at 2:57 PM, Neil Conway <neil.con...@gmail.com> wrote: > Hi Klaus, > > Thanks for your feedback. > > On Mon, Nov 30, 2015 at 10:01 PM, Klaus Ma <klaus1982...@gmail.com> wrote: > > @Neil, just want to confirm about ACL, do you mean we will load role info > > from 3rd part application, e.g. LDAP? > > I mean ACLs as in the authorization subsystem in Mesos: > https://mesos.apache.org/documentation/latest/authorization/ > > > And as I mentioned in both design doc, why not build a RoleManager as > > plugin for them? Both features are required following operator: > > 1. check: check whether role is available > > 2. create: create role in Master > > 3. update: update role info > > 4. destroy: delete the role > > 5. persist: > > 6. query: query from role manager. > > master/allocator need role info during the operation > > Adam and I replied to your suggestion of a plugin API in the comments > attached to the design doc. To recap: if we have implicit roles, I > don't think we don't need dynamic roles, and vice versa. I don't think > we need to support n possible ways to implement this functionality, > along with the complexity of supporting a general-purpose plugin API > for a core Mesos concept like roles. > > If there are use-cases for dynamic roles that aren't met by the > combination of implicit roles, dynamic weights, and dynamic ACLs, I'd > love to hear about them. > > Neil >