[jira] [Commented] (MESOS-5757) Authorize orphaned tasks

Sat, 02 Jul 2016 12:16:34 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-5757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15360292#comment-15360292
 ] 

Joerg Schad commented on MESOS-5757:
------------------------------------

The problem with orphaned tasks is that we don't necessarily access to the 
FrameworkInfo and hence we cannot authorize them as we would do for 
running/staged task (i.e., first check Task/TaskInfo and as fallback check 
FrameworInfo).
I see three options for dealing with this problem:
1. Coarse granular authz for orphaned tasks
Introduce a new acls/authz action for allowing a user to view orphaned tasks 
(i.e., all or none).
2. Add FrameworkInfo to Task (and then authorize orphaned Tasks the same way we 
would running/staged ones)
The drawback here would be the increased size (and hence memory usage) for 
storing Tasks. FrameworkInfo can have large fields.
Note that FrameworkInfo will be stored for each Task and hence potentially 
duplicated.
3. Add a new datastructure to the master storing a mapping of frameworkID to 
frameworkInfo (the frameworkInfo is part of Task and hence we can authorize 
orphaned Tasks the same way we would running/staged ones)
This would lead to less storage overhead compared to 2, but might be a little 
more complex to implement as we have to fill/cleanup such datastructure.

> Authorize orphaned tasks
> ------------------------
>
>                 Key: MESOS-5757
>                 URL: https://issues.apache.org/jira/browse/MESOS-5757
>             Project: Mesos
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 1.0.0
>            Reporter: Vinod Kone
>              Labels: mesosphere, security
>             Fix For: 1.0.0
>
>
> Currently, orphaned tasks are not filtered (i.e., using authorization) when a 
> request is made to /state endpoint. This is inconsistent (and unexpected) 
> with how we filter un-orphaned tasks. 
> This is tricky because master and hence the authorizer do not have 
> FrameworkInfos for these orphaned tasks, until after the corresponding 
> frameworks re-register.
> One option is for the agent to include FrameworkInfos of all its tasks and 
> executors in its re-registration message.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to