[
https://issues.apache.org/jira/browse/MESOS-4591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg Mann updated MESOS-4591:
-----------------------------
Description:
When frameworks reserve resources, the validation of the operation ensures that
the {{role}} of the reservation matches the {{role}} of the framework. For the
case of the {{/reserve}} operator endpoint, however, the operator has no role
to validate, so this check isn't performed.
This means that if an ACL exists which authorizes a framework's principal to
reserve resources, that same principal can be used to reserve resources for
_any_ role through the operator endpoint.
We should restrict reservations made through the operator endpoint to specified
roles. A few possibilities:
* The {{object}} of the {{reserve_resources}} ACL could be changed from
{{resources}} to {{roles}}
* A second ACL could be added for authorization of {{reserve}} operations, with
an {{object}} of {{role}}
* Our conception of the {{resources}} object in the {{reserve_resources}} ACL
could be expanded to include role information, i.e., {{disk(role1);mem(role1)}}
was:
When frameworks reserve resources, the validation of the operation ensures that
the {{role}} of the reservation matches the {{role}} of the framework. For the
case of the {{/reserve}} operator endpoint, however, the operator has no role
to validate, so this check isn't performed.
This means that if an ACL exists which authorizes a framework's principal to
reserve resources, that same principal can be used to reserve resources for
_any_ role through the operator endpoint.
We should restrict reservations made through the operator endpoint to specified
roles. A couple possibilities:
* The {{object}} of the {{reserve_resources}} ACL could be changed from
{{resources}} to {{roles}}
* Our conception of the {{resources}} object in the {{reserve_resources}} ACL
could be expanded to include role information, i.e., {{disk(role1);mem(role1)}}
> `/reserve` endpoint allows reservations for any role
> ----------------------------------------------------
>
> Key: MESOS-4591
> URL: https://issues.apache.org/jira/browse/MESOS-4591
> Project: Mesos
> Issue Type: Bug
> Affects Versions: 0.27.0
> Reporter: Greg Mann
> Labels: mesosphere, reservations
>
> When frameworks reserve resources, the validation of the operation ensures
> that the {{role}} of the reservation matches the {{role}} of the framework.
> For the case of the {{/reserve}} operator endpoint, however, the operator has
> no role to validate, so this check isn't performed.
> This means that if an ACL exists which authorizes a framework's principal to
> reserve resources, that same principal can be used to reserve resources for
> _any_ role through the operator endpoint.
> We should restrict reservations made through the operator endpoint to
> specified roles. A few possibilities:
> * The {{object}} of the {{reserve_resources}} ACL could be changed from
> {{resources}} to {{roles}}
> * A second ACL could be added for authorization of {{reserve}} operations,
> with an {{object}} of {{role}}
> * Our conception of the {{resources}} object in the {{reserve_resources}} ACL
> could be expanded to include role information, i.e.,
> {{disk(role1);mem(role1)}}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
