[jira] [Commented] (MESOS-4591) `/reserve` and `/create-volumes` endpoints allow operations for any role

Fri, 19 Feb 2016 17:40:30 -0800 

    [ 
https://issues.apache.org/jira/browse/MESOS-4591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15155279#comment-15155279
 ] 

Greg Mann commented on MESOS-4591:
----------------------------------

[~gyliu], I apologize, you asked for my thoughts on your proposal and I never 
replied! I had some discussions with other contributors and committers, and we 
thought a good approach would be to simply change the objects of the 
{{ReserveResources}} and {{CreateVolume}} ACLs to {{roles}} rather than 
{{resources}} and {{volume_types}}. Especially since we are currently only 
using {{ANY}} and {{NONE}} for the existing objects, losing them won't be 
detrimental. This will cause a compatibility concern with previous ACL 
definitions, which we can call out in the upgrade documentation for 0.28.0, but 
it's not a large disruption. I'm about to post patches for these changes; have 
a look and let me know what you think :-)

> `/reserve` and `/create-volumes` endpoints allow operations for any role
> ------------------------------------------------------------------------
>
>                 Key: MESOS-4591
>                 URL: https://issues.apache.org/jira/browse/MESOS-4591
>             Project: Mesos
>          Issue Type: Bug
>    Affects Versions: 0.27.0
>            Reporter: Greg Mann
>            Assignee: Greg Mann
>              Labels: mesosphere, reservations
>             Fix For: 0.28.0
>
>
> When frameworks reserve resources, the validation of the operation ensures 
> that the {{role}} of the reservation matches the {{role}} of the framework. 
> For the case of the {{/reserve}} operator endpoint, however, the operator has 
> no role to validate, so this check isn't performed.
> This means that if an ACL exists which authorizes a framework's principal to 
> reserve resources, that same principal can be used to reserve resources for 
> _any_ role through the operator endpoint.
> We should restrict reservations made through the operator endpoint to 
> specified roles. A few possibilities:
> * The {{object}} of the {{reserve_resources}} ACL could be changed from 
> {{resources}} to {{roles}}
> * A second ACL could be added for authorization of {{reserve}} operations, 
> with an {{object}} of {{role}}
> * Our conception of the {{resources}} object in the {{reserve_resources}} ACL 
> could be expanded to include role information, i.e., 
> {{disk(role1);mem(role1)}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to