[jira] [Commented] (MESOS-4591) `/reserve` endpoint allows reservations for any role

Tue, 09 Feb 2016 07:06:38 -0800 

    [ 
https://issues.apache.org/jira/browse/MESOS-4591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15139033#comment-15139033
 ] 

Guangya Liu commented on MESOS-4591:
------------------------------------

Thanks [~greggomann] for the detailed explanation! 

For your proposals, for 1), if the object of the reserve_resources ACL could be 
changed from resources to roles, then there will be no entry for resources, 
does the endpoint for reservation still works?

In my understanding, I think that 3) might be better, extend the 
reserve_resources ACL include role information,  but my thinking of including 
role info is as following, what do you say? Thanks.

{code}
{
          "permissive": false,
          "reserve_resources": [
             {
                 "principals": {
                     "values": ["foo"]
                  },
                  "resources": {
                      "type": "ANY"
                  },
                  "roles": {
                    "values": ["r1", "r2"]
                  }
              }
           ]
 }
{code}

> `/reserve` endpoint allows reservations for any role
> ----------------------------------------------------
>
>                 Key: MESOS-4591
>                 URL: https://issues.apache.org/jira/browse/MESOS-4591
>             Project: Mesos
>          Issue Type: Bug
>    Affects Versions: 0.27.0
>            Reporter: Greg Mann
>              Labels: mesosphere, reservations
>
> When frameworks reserve resources, the validation of the operation ensures 
> that the {{role}} of the reservation matches the {{role}} of the framework. 
> For the case of the {{/reserve}} operator endpoint, however, the operator has 
> no role to validate, so this check isn't performed.
> This means that if an ACL exists which authorizes a framework's principal to 
> reserve resources, that same principal can be used to reserve resources for 
> _any_ role through the operator endpoint.
> We should restrict reservations made through the operator endpoint to 
> specified roles. A few possibilities:
> * The {{object}} of the {{reserve_resources}} ACL could be changed from 
> {{resources}} to {{roles}}
> * A second ACL could be added for authorization of {{reserve}} operations, 
> with an {{object}} of {{role}}
> * Our conception of the {{resources}} object in the {{reserve_resources}} ACL 
> could be expanded to include role information, i.e., 
> {{disk(role1);mem(role1)}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to