[
https://issues.apache.org/jira/browse/MESOS-4772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15170536#comment-15170536
]
Adam B commented on MESOS-4772:
-------------------------------
1. A framework may belong to a role (or the default "*"). A role is essentially
a group of frameworks as far as DRF is concerned. Roles are also used to group
which frameworks are offered particular reservations/quota/volumes. Users of a
framework may also use other frameworks, and those frameworks may have
different roles. It depends on your cluster setup.
These same users may access the Mesos UI to try to view a task's sandbox. We
want to be able to associate the task with something finer-grained than "role"
so we can e.g. protect sandboxes from other users of a multi-user framework. Of
course, the cluster operator would need to tie the user's identity in Mesos to
the identity in the multi-user framework, but that's outside of the realm of
Mesos' control.
2. Frameworks may authenticate the users of their own UIs/APIs, but Mesos will
have to authenticate users accessing Mesos HTTP endpoints. In addition to
authenticating http requests, Mesos can also authenticate framework
registration and agent registration. See
http://mesos.apache.org/documentation/latest/authentication/
3. There was talk of LDAP integration in MESOS-418 as far back as 2013, but
direct integration was dropped in favor of a plugin module approach. Mesos 0.21
added an Authenticator module (MESOS-1889), which allows me/you/anyone to build
and distribute custom authentication behavior/integrations.
> TaskInfo/ExecutorInfo should include owner information
> ------------------------------------------------------
>
> Key: MESOS-4772
> URL: https://issues.apache.org/jira/browse/MESOS-4772
> Project: Mesos
> Issue Type: Improvement
> Components: security
> Reporter: Adam B
> Assignee: Jan Schlicht
> Labels: authorization, mesosphere, ownership, security
>
> We need a way to assign fine-grained ownership to tasks/executors so that
> multi-user frameworks can tell Mesos to associate the task with a user
> identity (rather than just the framework principal+role). Then, when an HTTP
> user requests to view the task's sandbox contents, or kill the task, or list
> all tasks, the authorizer can determine whether to allow/deny/filter the
> request based on finer-grained, user-level ownership.
> Some systems may want TaskInfo.owner to represent a group rather than an
> individual user. That's fine as long as the framework sets the field to the
> group ID in such a way that a group-aware authorizer can interpret it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
