[
https://issues.apache.org/jira/browse/MESOS-4591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15137194#comment-15137194
]
Greg Mann commented on MESOS-4591:
----------------------------------
[~gyliu], the problem is that the behavior of the {{/reserve}} endpoint is
different than the behavior of {{RESERVE}} operations from frameworks. This
makes it possible for a datacenter operator to set ACLs for frameworks which
assume that they will only be able to reserve resources for their own role,
while those same principals can then reserve resources through the {{/reserve}}
endpoint for any role. The difference in behavior between these two methods of
making reservations makes the authorization process more confusing, and thus
less secure.
Perhaps we will want to establish a distinction between authorization for
operator endpoints and authorization for frameworks. Currently, authentication
and authorization for both of these is based on the same set of credentials and
ACLs, but maybe we should treat them differently. For example, it makes sense
to limit frameworks to only reserve resources for their own role, but it also
makes sense to authorize principals to reserve for particular roles (and not
for others) through the {{/reserve}} endpoint.
With regard to the {{/create-volumes}} endpoint, the difference there is that
an operator can only create volumes using resources that have already been
reserved for a particular role. You raise a good point, and perhaps we should
restrict the creation of volumes to certain roles as well. However, that case
seems less harmful to me since the operator can't create any persistent volume
for any arbitrary role, they can only create volumes on disk resources that
have already been reserved for a particular role.
> `/reserve` endpoint allows reservations for any role
> ----------------------------------------------------
>
> Key: MESOS-4591
> URL: https://issues.apache.org/jira/browse/MESOS-4591
> Project: Mesos
> Issue Type: Bug
> Affects Versions: 0.27.0
> Reporter: Greg Mann
> Labels: mesosphere, reservations
>
> When frameworks reserve resources, the validation of the operation ensures
> that the {{role}} of the reservation matches the {{role}} of the framework.
> For the case of the {{/reserve}} operator endpoint, however, the operator has
> no role to validate, so this check isn't performed.
> This means that if an ACL exists which authorizes a framework's principal to
> reserve resources, that same principal can be used to reserve resources for
> _any_ role through the operator endpoint.
> We should restrict reservations made through the operator endpoint to
> specified roles. A few possibilities:
> * The {{object}} of the {{reserve_resources}} ACL could be changed from
> {{resources}} to {{roles}}
> * A second ACL could be added for authorization of {{reserve}} operations,
> with an {{object}} of {{role}}
> * Our conception of the {{resources}} object in the {{reserve_resources}} ACL
> could be expanded to include role information, i.e.,
> {{disk(role1);mem(role1)}}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
