[jira] [Commented] (MESOS-3062) Add authorization for dynamic reservation

Tue, 10 Nov 2015 12:28:04 -0800 

    [ 
https://issues.apache.org/jira/browse/MESOS-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14999288#comment-14999288
 ] 

Greg Mann commented on MESOS-3062:
----------------------------------

These patches don't affect which offers are made to which frameworks, nor which 
frameworks can accept which offers; a framework should still be able to utilize 
all the resources offered to it. Reserved resources will be offered to, and can 
be used by, any framework registered with the appropriate role, regardless of 
which principal did the reserving.

This work provides authorization for the {{Reserve}} and {{Unreserve}} offer 
operations. So while a framework can still accept all the offers it receives, 
these patches do mean that a framework could receive offers containing 
resources which it doesn't have permission to reserve. A framework could also 
receive offers containing dynamically-reserved resources which it doesn't have 
the permission to unreserve.

> Add authorization for dynamic reservation
> -----------------------------------------
>
>                 Key: MESOS-3062
>                 URL: https://issues.apache.org/jira/browse/MESOS-3062
>             Project: Mesos
>          Issue Type: Task
>          Components: master
>            Reporter: Michael Park
>            Assignee: Greg Mann
>              Labels: mesosphere, persistent-volumes
>
> Dynamic reservations should be authorized with the {{principal}} of the 
> reserving entity (framework or master). The idea is to introduce {{Reserve}} 
> and {{Unreserve}} into the ACL.
> {code}
>   message Reserve {
>     // Subjects.
>     required Entity principals = 1;
>     // Objects.  MVP: Only possible values = ANY, NONE
>     required Entity resources = 1;
>   }
>   message Unreserve {
>     // Subjects.
>     required Entity principals = 1;
>     // Objects.
>     required Entity reserver_principals = 2;
>   }
> {code}
> When a framework/operator reserves resources, "reserve" ACLs are checked to 
> see if the framework ({{FrameworkInfo.principal}}) or the operator 
> ({{Credential.user}}) is authorized to reserve the specified resources. If 
> not authorized, the reserve operation is rejected.
> When a framework/operator unreserves resources, "unreserve" ACLs are checked 
> to see if the framework ({{FrameworkInfo.principal}}) or the operator 
> ({{Credential.user}}) is authorized to unreserve the resources reserved by a 
> framework or operator ({{Resource.ReservationInfo.principal}}). If not 
> authorized, the unreserve operation is rejected.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to