[
https://issues.apache.org/jira/browse/MESOS-5615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15334830#comment-15334830
]
Joerg Schad commented on MESOS-5615:
------------------------------------
A few more comments on this: IMO a general issue of this creating an
executorInfo on the agent (i.e., already before this the fixes proposed here)
is that the agent/state and master/state will differ as the agent contains this
new executorInfo.
Especially this means that the copied Labels/DiscoveryInfo can appear both on
the TaskInfo and the ExecutorInfo. These fields can be custom generated by
frameworks and custom consumed by external tool. So we should make sure users
(both framework writers and operators/tool writers) are aware of this.
> When using command executor, the ExecutorInfo is useless for sandbox
> authorization
> ----------------------------------------------------------------------------------
>
> Key: MESOS-5615
> URL: https://issues.apache.org/jira/browse/MESOS-5615
> Project: Mesos
> Issue Type: Bug
> Components: modules, security, slave
> Affects Versions: 1.0.0
> Reporter: Alexander Rojas
> Assignee: Joerg Schad
> Priority: Blocker
> Labels: authorization, mesosphere, modularization, security
> Fix For: 1.0.0
>
>
> The design for sandbox access authorization uses the {{ExecutorInfo}}
> associated with the task as the main authorization space and the
> {{FrameworkInfo}} as a secondary one. This allows module writes to use fields
> such a labels for authorization.
> When a task uses the _command executor_ it doesn't provide an
> {{ExecutorInfo}}, but the info object is generated automatically inside the
> agent. As such, information which could be used for authorization (e.g.
> labels) is not available for authorization.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
