[ https://issues.apache.org/jira/browse/MESOS-5757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15360292#comment-15360292 ]
Joerg Schad commented on MESOS-5757: ------------------------------------ The problem with orphaned tasks is that we don't necessarily access to the FrameworkInfo and hence we cannot authorize them as we would do for running/staged task (i.e., first check Task/TaskInfo and as fallback check FrameworInfo). I see three options for dealing with this problem: 1. Coarse granular authz for orphaned tasks Introduce a new acls/authz action for allowing a user to view orphaned tasks (i.e., all or none). 2. Add FrameworkInfo to Task (and then authorize orphaned Tasks the same way we would running/staged ones) The drawback here would be the increased size (and hence memory usage) for storing Tasks. FrameworkInfo can have large fields. Note that FrameworkInfo will be stored for each Task and hence potentially duplicated. 3. Add a new datastructure to the master storing a mapping of frameworkID to frameworkInfo (the frameworkInfo is part of Task and hence we can authorize orphaned Tasks the same way we would running/staged ones) This would lead to less storage overhead compared to 2, but might be a little more complex to implement as we have to fill/cleanup such datastructure. > Authorize orphaned tasks > ------------------------ > > Key: MESOS-5757 > URL: https://issues.apache.org/jira/browse/MESOS-5757 > Project: Mesos > Issue Type: Bug > Components: security > Affects Versions: 1.0.0 > Reporter: Vinod Kone > Labels: mesosphere, security > Fix For: 1.0.0 > > > Currently, orphaned tasks are not filtered (i.e., using authorization) when a > request is made to /state endpoint. This is inconsistent (and unexpected) > with how we filter un-orphaned tasks. > This is tricky because master and hence the authorizer do not have > FrameworkInfos for these orphaned tasks, until after the corresponding > frameworks re-register. > One option is for the agent to include FrameworkInfos of all its tasks and > executors in its re-registration message. -- This message was sent by Atlassian JIRA (v6.3.4#6332)