Greg Mann created MESOS-7399:
--------------------------------
Summary: Move implicit authorization into the authorizer
Key: MESOS-7399
URL: https://issues.apache.org/jira/browse/MESOS-7399
Project: Mesos
Issue Type: Improvement
Components: executor, scheduler api
Reporter: Greg Mann
The HTTP scheduler and executor APIs contain implicit authorization rules.
Roughly stated, the rule is that schedulers and executors can only perform
actions for/on schedulers/executors with the same principal. For example,
schedulers can only launch tasks on schedulers with the same principal, and
executors can only launch nested containers within an executor using the same
principal.
These implicit authorization rules should be moved into the authorizer to
maintain separation of authorization logic consistent with the rest of the
Mesos codebase.
Note that these rules will be unnecessary in the V0 scheduler/executor APIs due
to their implementation. Since V0 schedulers and executors authenticate once
when their persistent TCP connection is established, the implicit authorization
of subsequent actions performed on that connection is inherent to the
implementation.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
