[jira] [Commented] (MESOS-3062) Add authorization for dynamic reservation

Thu, 05 Nov 2015 13:47:58 -0800 

    [ 
https://issues.apache.org/jira/browse/MESOS-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14992548#comment-14992548
 ] 

Greg Mann commented on MESOS-3062:
----------------------------------

I picked up where [~mcypark] left off on these reviews. Rebased and addressed 
all outstanding comments. You can find the new patches here:

Introduced ACL protobuf definitions for dynamic reservation: 
https://reviews.apache.org/r/39985/
Enabled the Authorizer to handle Reserve/Unreserve ACLs: 
https://reviews.apache.org/r/39986/
Added 'Master::authorize' for Reserve/Unreserve: 
https://reviews.apache.org/r/39987/
Added authorization for dynamic reservation master endpoints: 
https://reviews.apache.org/r/39988/
Added framework authorization for dynamic reservation: 
https://reviews.apache.org/r/39989/

> Add authorization for dynamic reservation
> -----------------------------------------
>
>                 Key: MESOS-3062
>                 URL: https://issues.apache.org/jira/browse/MESOS-3062
>             Project: Mesos
>          Issue Type: Task
>          Components: master
>            Reporter: Michael Park
>            Assignee: Michael Park
>              Labels: mesosphere, persistent-volumes
>
> Dynamic reservations should be authorized with the {{principal}} of the 
> reserving entity (framework or master). The idea is to introduce {{Reserve}} 
> and {{Unreserve}} into the ACL.
> {code}
>   message Reserve {
>     // Subjects.
>     required Entity principals = 1;
>     // Objects.  MVP: Only possible values = ANY, NONE
>     required Entity resources = 1;
>   }
>   message Unreserve {
>     // Subjects.
>     required Entity principals = 1;
>     // Objects.
>     required Entity reserver_principals = 2;
>   }
> {code}
> When a framework/operator reserves resources, "reserve" ACLs are checked to 
> see if the framework ({{FrameworkInfo.principal}}) or the operator 
> ({{Credential.user}}) is authorized to reserve the specified resources. If 
> not authorized, the reserve operation is rejected.
> When a framework/operator unreserves resources, "unreserve" ACLs are checked 
> to see if the framework ({{FrameworkInfo.principal}}) or the operator 
> ({{Credential.user}}) is authorized to unreserve the resources reserved by a 
> framework or operator ({{Resource.ReservationInfo.principal}}). If not 
> authorized, the unreserve operation is rejected.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to