[jira] [Commented] (MESOS-4591) `/reserve` and `/create-volumes` endpoints allow operations for any role

Fri, 12 Feb 2016 17:56:00 -0800 

    [ 
https://issues.apache.org/jira/browse/MESOS-4591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15145700#comment-15145700
 ] 

Guangya Liu commented on MESOS-4591:
------------------------------------

[~neilc], I think that [~greggomann] gave some explanation why he think that 
the {{create-volumes}} is low priority: With regard to the /create-volumes 
endpoint, the difference there is that an operator can only create volumes 
using resources that have already been reserved for a particular role. You 
raise a good point, and perhaps we should restrict the creation of volumes to 
certain roles as well. However, that case seems less harmful to me since the 
operator can't create any persistent volume for any arbitrary role, they can 
only create volumes on disk resources that have already been reserved for a 
particular role.

> `/reserve` and `/create-volumes` endpoints allow operations for any role
> ------------------------------------------------------------------------
>
>                 Key: MESOS-4591
>                 URL: https://issues.apache.org/jira/browse/MESOS-4591
>             Project: Mesos
>          Issue Type: Bug
>    Affects Versions: 0.27.0
>            Reporter: Greg Mann
>              Labels: mesosphere, reservations
>
> When frameworks reserve resources, the validation of the operation ensures 
> that the {{role}} of the reservation matches the {{role}} of the framework. 
> For the case of the {{/reserve}} operator endpoint, however, the operator has 
> no role to validate, so this check isn't performed.
> This means that if an ACL exists which authorizes a framework's principal to 
> reserve resources, that same principal can be used to reserve resources for 
> _any_ role through the operator endpoint.
> We should restrict reservations made through the operator endpoint to 
> specified roles. A few possibilities:
> * The {{object}} of the {{reserve_resources}} ACL could be changed from 
> {{resources}} to {{roles}}
> * A second ACL could be added for authorization of {{reserve}} operations, 
> with an {{object}} of {{role}}
> * Our conception of the {{resources}} object in the {{reserve_resources}} ACL 
> could be expanded to include role information, i.e., 
> {{disk(role1);mem(role1)}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to