[
https://issues.apache.org/jira/browse/MESOS-6953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15836937#comment-15836937
]
Adam B commented on MESOS-6953:
-------------------------------
cc: [~arojas]
Interesting.. So you use the framework principal as the "subject", although
it's the master that's actually making the request?
So, now, if a framework wants to run a task, it must have permission not just
on the masters, but also on every agent (where it might want to run)? What if
it has the ACL on some agents, but not others? How would it discover that, by
trial and error?
What's the live upgrade story here? Operators must copy the run_tasks ACL from
the masters to all agents (and restart the agents)?
> A compromised mesos-master node can execute code as root on agents.
> -------------------------------------------------------------------
>
> Key: MESOS-6953
> URL: https://issues.apache.org/jira/browse/MESOS-6953
> Project: Mesos
> Issue Type: Bug
> Components: security
> Reporter: Anindya Sinha
> Assignee: Anindya Sinha
> Labels: security, slave
>
> mesos-master has a `--[no-]root_submissions` flag that controls whether
> frameworks with `root` user are admitted to the cluster.
> However, if a mesos-master node is compromised, it can attempt to schedule
> tasks on agent as the `root` user. Since mesos-agent has no check against
> tasks running on the agent for specific users, tasks can get run with `root`
> privileges can get run within the container on the agent.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
