[
https://issues.apache.org/jira/browse/MESOS-4772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15170597#comment-15170597
]
Qian Zhang commented on MESOS-4772:
-----------------------------------
Thanks [~adam-mesos]. For 2, what is the timing for Mesos to authenticate
users? When user of a framework launches task and user accesses Mesos UI?
And a few more questions:
4. Any feature interactions with authorization? E.g., allow operator to set up
which user can launch task in which framework?
5. I see there is already a required field {{user}} in {{FrameworkInfo}}, so do
we want to update it to a repeated field to support multi-user framework
proposed in this ticket? Or we want to introduce a new repeated field?
> TaskInfo/ExecutorInfo should include owner information
> ------------------------------------------------------
>
> Key: MESOS-4772
> URL: https://issues.apache.org/jira/browse/MESOS-4772
> Project: Mesos
> Issue Type: Improvement
> Components: security
> Reporter: Adam B
> Assignee: Jan Schlicht
> Labels: authorization, mesosphere, ownership, security
>
> We need a way to assign fine-grained ownership to tasks/executors so that
> multi-user frameworks can tell Mesos to associate the task with a user
> identity (rather than just the framework principal+role). Then, when an HTTP
> user requests to view the task's sandbox contents, or kill the task, or list
> all tasks, the authorizer can determine whether to allow/deny/filter the
> request based on finer-grained, user-level ownership.
> Some systems may want TaskInfo.owner to represent a group rather than an
> individual user. That's fine as long as the framework sets the field to the
> group ID in such a way that a group-aware authorizer can interpret it.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
