[jira] [Commented] (MESOS-9562) Authorization for DESTROY and UNRESERVE is not symmetrical.

Mon, 11 Feb 2019 21:50:14 -0800 


    [ 
https://issues.apache.org/jira/browse/MESOS-9562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16765693#comment-16765693
 ] 

Chun-Hung Hsiao commented on MESOS-9562:
----------------------------------------

For {{UNRESERVE}}, we current support the following two use cases:
1. If all resources the {{UNRESERVE}} operation applies to have reservation 
principals, there will be one authorization request for each resource.
2. If none of the resources has any principal, there will be one single 
authorization request to verify if the subject is authorized to perform an 
{{UNRESERVE}} operation.
Equivalently, if a subject is authorized to do {{UNRESERVE}} on any reservation 
with a principal, Mesos would implicitly assume that the subject has the right 
to do {{UNRESERVE}} on a reservation without a principal as well.
We should either document this, or issue a request per resource, with or 
without a principle.
Since we're deprecating the {{value}} field in favor of the {{resource}} field, 
it seems to me that we should issue a request for each resource, no matter it 
is reserved by a principal or not.

For {{DESTROY}}, it seems to me that setting a default empty string is an 
undocumented behavior, and also having a magic string (which is the empty 
string) doesn't sound a good idea in an API.

> Authorization for DESTROY and UNRESERVE is not symmetrical.
> -----------------------------------------------------------
>
>                 Key: MESOS-9562
>                 URL: https://issues.apache.org/jira/browse/MESOS-9562
>             Project: Mesos
>          Issue Type: Improvement
>          Components: master, scheduler api
>    Affects Versions: 1.7.1
>            Reporter: Alexander Rukletsov
>            Priority: Major
>              Labels: integration, mesosphere, tech-debt
>
> For [the {{UNRESERVE}} 
> case|https://github.com/apache/mesos/blob/5d3ed364c6d1307d88e6b950ae0eef423c426673/src/master/master.cpp#L3661-L3677],
>  if the principal was not set, {{.has_principal()}} will be {{false}}, hence 
> we will not call {{authorizations.push_back()}}, and hence we will not create 
> an authz request with this resource as an object. For [the {{DESTROY}} 
> case|https://github.com/apache/mesos/blob/5d3ed364c6d1307d88e6b950ae0eef423c426673/src/master/master.cpp#L3772-L3773],
>  if the principal was not set, a default value {{""}} for string will be used 
> and hence we will create an authz request with this resource as an object. 
> We definitely need to make the behaviour consistent. I'm not sure which 
> approach is correct.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to