----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/67501/#review205492 -----------------------------------------------------------
include/mesos/authorizer/acls.proto Lines 542 (patched) <https://reviews.apache.org/r/67501/#comment288405> I had some discussions around using principals to control these `DESTROY_*` operations with Jie and Greg. The take-away was that using principals instead of roles (like e.g., already suggested by Chun in this RR) is not something we should do going forward. It is already tech debt in the destruction of persistent volumes (which is pretty hard to remove in a backwards-compatible way), and we should not add it here. This is related to the fact that when a resource is reserved to a certain role, every framework in that role already has access _to the data_ in that volume (they could e.g., read and modify the data from a task). By using a principal to control destruction we protect the metadata (_some volume `xyz` exists_) while we do not protect the actual data (access to the data is based on roles). That means using principals to authorized `UNRESERVE` operations is useful (it changes data visibility), but does not add real benefits for the `DESTROY_*` operations. Could you use a `required Entity roles` here and below instead? We'd also need to update the documentation and ACL validation. - Benjamin Bannier On June 27, 2018, 12:40 p.m., Jan Schlicht wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/67501/ > ----------------------------------------------------------- > > (Updated June 27, 2018, 12:40 p.m.) > > > Review request for mesos, Benjamin Bannier and Chun-Hung Hsiao. > > > Bugs: MESOS-7329 > https://issues.apache.org/jira/browse/MESOS-7329 > > > Repository: mesos > > > Description > ------- > > Framework operations `CREATE_VOLUME`, `DESTROY_VOLUME`, `CREATE_BLOCK`, > `DESTROY_BLOCK` are authorized. Respective ACL actions have been added > to the local authorizer. Currently access can only be given to either > 'ANY' or 'NONE' resource providers. > > > Diffs > ----- > > docs/authorization.md cd8622b9848b7a020c079cc1901e3933fa6eb0c0 > include/mesos/authorizer/acls.proto > e4889939481dabe6c1c2876a54d654f98d00dec8 > include/mesos/authorizer/authorizer.proto > bb1010d7eb97de17807b0a730ce16a4b28bc2aa3 > src/authorizer/local/authorizer.cpp > 61e9ab5ce9f1ce4eee4a3f8502c9b60140efcb7e > src/master/master.hpp 4180341e2c7b16503a4376c501f611bb78ba901c > src/master/master.cpp 4ade16f044f8a4fdafd5afaba4e6a23232f83a5a > src/tests/authorization_tests.cpp f6f77692112d2299f3009fde4468f82bfd934c60 > > > Diff: https://reviews.apache.org/r/67501/diff/5/ > > > Testing > ------- > > make check > > > Thanks, > > Jan Schlicht > >
