Michael Park created MESOS-3065:
-----------------------------------
Summary: Add authorization for persistent volume
Key: MESOS-3065
URL: https://issues.apache.org/jira/browse/MESOS-3065
Project: Mesos
Issue Type: Task
Reporter: Michael Park
Persistent volume should be authorized with the {{principal}} of the reserving
entity (framework or master). The idea is to introduce {{Create}} and
{{Destroy}} into the ACL.
{code}
message Create {
// Subjects.
required Entity principals = 1;
// Objects? Perhaps the kind of volume? allowed permissions?
}
message Unreserve {
// Subjects.
required Entity principals = 1;
// Objects.
required Entity creator_principals = 2;
}
{code}
When a framework/operator creates a persistent volume, "create" ACLs are
checked to see if the framework (FrameworkInfo.principal) or the operator
(Credential.user) is authorized to create persistent volumes. If not
authorized, the create operation is rejected.
When a framework/operator destroys a persistent volume, "destroy" ACLs are
checked to see if the framework (FrameworkInfo.principal) or the operator
(Credential.user) is authorized to destroy the persistent volume created by a
framework or operator (Resource.DiskInfo.principal). If not authorized, the
destroy operation is rejected.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
