[jira] [Commented] (MESOS-4253) Provide a minimalist "runtime context" to an Anonymous Module
[
https://issues.apache.org/jira/browse/MESOS-4253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15171462#comment-15171462
]
Marco Massenzio commented on MESOS-4253:
It would be good if whoever came up with the "security concerns" could clarify
them further: in particular, when making an assertion about a particular
feature introducing a "security vulnerability", it is best practice to describe
a scenario, a potential attacker's capabilities, and the attack vector -
otherwise, *anything* can be a "security concern."
{quote}
What this means is that I have to retract the ship-it to discuss it further.
One of the most important issues was the fact that exposing all Master/Agent
flags could also mean sharing things like credentials and password info and any
other information that is part of other modules' module.json parameters.
{quote}
I will be honest and confess that I don't understand the scenario here: please
bear in mind that the module(s) can *only* be loaded at startup, by using the
{{--modules}} flag (and associated JSON) by the same person/team/script that is
launching the Master/Agent.
So, we are really *not* "exposing" the flags: these are already available (by
definition) to the actor who launched the Agent (or Master), hence this
facility does not further expand the surface of attack (provided, of course,
that the module itself is designed according to security principles).
In other words, passing the Flags during module creation is simply a
convenience, wrt to writing a "wrapper" script that duplicates these Flags of
interest into the modules' "Parameters" in the JSON.
Also, it gives the modules access to default values that are not explicitly
defined: as these are, by definition, "public" there is no increase in
vulnerability.
Again, the very same person that launches Mesos is loading the module - how
does that represent a greater security concern?
{quote}
Having said that, I am not saying that Mesos is completely secure and these
patches will make it less secure, but we do need to comeup with a better plan
going forward.
{quote}
"better" can only be defined wrt to a security threat scenario: what is it?
{quote}
On a more detailed note, there are two main avenues that we need to pursue
here. One, have the modules explicitly request the flags that are needed by
them in order to work. At which point, the operator can pass in these flags as
part of Master/Agent commandline and they will be forwarded to the respective
modules.
{quote}
how would a module "explicitly request the flags"?
This seems rather cumbersome, and only minimally better than just the
"wrapper" script that duplicates the flags inside the JSON's parameters.
It is also completely contrary to treating your cluster "as herd, not pets."
{quote}
Second, we can come up with a minimal set of Master/Agent flags that we
consider "safe" and always pass to all modules as part of the `create` call
along with Parameters. There is already a precedence in the way SSL flags are
passed on via Master/Agent commandline.
{quote}
This seems to me to be really non-scalable and a bit cumbersome, but probably
the only viable option, without a clearer definition of what the security
concerns are.
{quote}
Finally, given the nature of the concerns, I wanted to see if you can join the
next community sync and discuss it further while involving the whole community?
After that, we might be able to create a small working group with all
interested parties to come up with better design decisions.
{quote}
Considering that it's taken two months (of virtually no feedback at all) I
honestly can't see how this is likely to elicit more interest, but we'll see, I
guess.
> Provide a minimalist "runtime context" to an Anonymous Module
> -
>
> Key: MESOS-4253
> URL: https://issues.apache.org/jira/browse/MESOS-4253
> Project: Mesos
> Issue Type: Improvement
> Components: modules
>Reporter: Marco Massenzio
>Assignee: Marco Massenzio
>
> Currently, {{Anonymous}} modules only receive at creation a copy of the
> {{"parameters"}} passed in the JSON configuration file.
> However, at runtime, it would be useful to also have a "runtime context" for
> the module developer to use, when implementing the functionality.
> I would suggest to pass in the {{Flags}} object from the Master/Agent inside
> an {{setRuntimeContext(const Flags&)}}[0] method, called immediately
> post-{{create(const Parameters&)}}[1].
> Also, I would suggest adding a {{teardown()}} method too, in case the module
> needs to release resources / conduct cleanup before exiting (there is a TODO
> in the code to this effect, and adding this in this patch would be close to
> trivial).
> [0] In practice, it won't be this trivial, as
[jira] [Commented] (MESOS-4253) Provide a minimalist "runtime context" to an Anonymous Module
[
https://issues.apache.org/jira/browse/MESOS-4253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15170754#comment-15170754
]
Kapil Arya commented on MESOS-4253:
---
While discussing these RRs, a few security concerns came up. What this means is
that I have to retract the ship-it to discuss it further. Sorry!
One of the most important issues was the fact that exposing all Master/Agent
flags could also mean sharing things like credentials and password info, and
any other "sensitive" information that might part of other modules' module.json
parameters.
On a more detailed note, there are two main avenues that we can pursue. One,
have the modules explicitly request the flags that are needed by them in order
to work. At which point, these flags will be merged with Master/Agent flags and
the operator can pass in these flags as part of Master/Agent command line and
they will be forwarded to the respective modules. Second, we can come up with a
minimal set of Master/Agent flags that we consider "safe" and always pass to
all modules as part of the `create` call along with Parameters. There is
already a precedence in the way SSL flags are passed on via Master/Agent
command line.
This would also mean that we can remove some of the existing Master/Agent flags
that are specific to some modules (e.g., flags related to perf isolator). The
modules would then request their flags to be accepted as part of Master/Agent
commandline (and be visible at places like --help).
Finally, given the nature of the concerns, it might be a good idea to further
involve the rest of the community to discuss the security consideration
surrounding anonymous modules to get some feedback.
> Provide a minimalist "runtime context" to an Anonymous Module
> -
>
> Key: MESOS-4253
> URL: https://issues.apache.org/jira/browse/MESOS-4253
> Project: Mesos
> Issue Type: Improvement
> Components: modules
>Reporter: Marco Massenzio
>Assignee: Marco Massenzio
>
> Currently, {{Anonymous}} modules only receive at creation a copy of the
> {{"parameters"}} passed in the JSON configuration file.
> However, at runtime, it would be useful to also have a "runtime context" for
> the module developer to use, when implementing the functionality.
> I would suggest to pass in the {{Flags}} object from the Master/Agent inside
> an {{setRuntimeContext(const Flags&)}}[0] method, called immediately
> post-{{create(const Parameters&)}}[1].
> Also, I would suggest adding a {{teardown()}} method too, in case the module
> needs to release resources / conduct cleanup before exiting (there is a TODO
> in the code to this effect, and adding this in this patch would be close to
> trivial).
> [0] In practice, it won't be this trivial, as Master/Agent {{Flags}} are of a
> different compile-time type - probably use something like variadic templates
> or something (suggestions appreciated!).
> [1] In fact, the ideal solution would be to add the {{const Flags&}} to
> {{create()}}, but that would, alas, break everyone's modules; so that's
> probably a no-go (ideas welcome here too).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-4253) Provide a minimalist "runtime context" to an Anonymous Module
[
https://issues.apache.org/jira/browse/MESOS-4253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15099254#comment-15099254
]
Marco Massenzio commented on MESOS-4253:
Sure thing, not a problem.
I'd really like to have it in by the 1.0, though - as this is an "externally
facing" API (ie, one that external developers code against) it would be awesome
to have it stable by then.
In particular, I'd love to hear your thoughts about
(a) a {{shutdown()}} method (naming TBD, this would be consistent with the
current naming for frameworks; although, {{finalize()}} may be more
appropriate); and
(b) whether we should also "fix" (most likely in a different Jira/RR) the fact
that currently the module pointers are never deallocated in the {{main()}}
methods, so the class destructors are never called (AFAICT, anyway).
Thanks!
> Provide a minimalist "runtime context" to an Anonymous Module
> -
>
> Key: MESOS-4253
> URL: https://issues.apache.org/jira/browse/MESOS-4253
> Project: Mesos
> Issue Type: Improvement
> Components: modules
>Reporter: Marco Massenzio
>Assignee: Marco Massenzio
>
> Currently, {{Anonymous}} modules only receive at creation a copy of the
> {{"parameters"}} passed in the JSON configuration file.
> However, at runtime, it would be useful to also have a "runtime context" for
> the module developer to use, when implementing the functionality.
> I would suggest to pass in the {{Flags}} object from the Master/Agent inside
> an {{setRuntimeContext(const Flags&)}}[0] method, called immediately
> post-{{create(const Parameters&)}}[1].
> Also, I would suggest adding a {{teardown()}} method too, in case the module
> needs to release resources / conduct cleanup before exiting (there is a TODO
> in the code to this effect, and adding this in this patch would be close to
> trivial).
> [0] In practice, it won't be this trivial, as Master/Agent {{Flags}} are of a
> different compile-time type - probably use something like variadic templates
> or something (suggestions appreciated!).
> [1] In fact, the ideal solution would be to add the {{const Flags&}} to
> {{create()}}, but that would, alas, break everyone's modules; so that's
> probably a no-go (ideas welcome here too).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-4253) Provide a minimalist "runtime context" to an Anonymous Module
[
https://issues.apache.org/jira/browse/MESOS-4253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15099090#comment-15099090
]
Kapil Arya commented on MESOS-4253:
---
I have retargeted it to 0.28.0 since it looks like I won't be able to get to it
before early next week :-(. I hope that's okay.
> Provide a minimalist "runtime context" to an Anonymous Module
> -
>
> Key: MESOS-4253
> URL: https://issues.apache.org/jira/browse/MESOS-4253
> Project: Mesos
> Issue Type: Improvement
> Components: modules
>Reporter: Marco Massenzio
>Assignee: Marco Massenzio
>
> Currently, {{Anonymous}} modules only receive at creation a copy of the
> {{"parameters"}} passed in the JSON configuration file.
> However, at runtime, it would be useful to also have a "runtime context" for
> the module developer to use, when implementing the functionality.
> I would suggest to pass in the {{Flags}} object from the Master/Agent inside
> an {{setRuntimeContext(const Flags&)}}[0] method, called immediately
> post-{{create(const Parameters&)}}[1].
> Also, I would suggest adding a {{teardown()}} method too, in case the module
> needs to release resources / conduct cleanup before exiting (there is a TODO
> in the code to this effect, and adding this in this patch would be close to
> trivial).
> [0] In practice, it won't be this trivial, as Master/Agent {{Flags}} are of a
> different compile-time type - probably use something like variadic templates
> or something (suggestions appreciated!).
> [1] In fact, the ideal solution would be to add the {{const Flags&}} to
> {{create()}}, but that would, alas, break everyone's modules; so that's
> probably a no-go (ideas welcome here too).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-4253) Provide a minimalist "runtime context" to an Anonymous Module
[
https://issues.apache.org/jira/browse/MESOS-4253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15095477#comment-15095477
]
Marco Massenzio commented on MESOS-4253:
Thanks and no worries, it was the holidays!
Also, [~haosd...@gmail.com] and [~jpe...@apache.org] have chimed in, so they
may want to add their thoughts here.
> Provide a minimalist "runtime context" to an Anonymous Module
> -
>
> Key: MESOS-4253
> URL: https://issues.apache.org/jira/browse/MESOS-4253
> Project: Mesos
> Issue Type: Improvement
> Components: modules
>Reporter: Marco Massenzio
>Assignee: Marco Massenzio
>
> Currently, {{Anonymous}} modules only receive at creation a copy of the
> {{"parameters"}} passed in the JSON configuration file.
> However, at runtime, it would be useful to also have a "runtime context" for
> the module developer to use, when implementing the functionality.
> I would suggest to pass in the {{Flags}} object from the Master/Agent inside
> an {{setRuntimeContext(const Flags&)}}[0] method, called immediately
> post-{{create(const Parameters&)}}[1].
> Also, I would suggest adding a {{teardown()}} method too, in case the module
> needs to release resources / conduct cleanup before exiting (there is a TODO
> in the code to this effect, and adding this in this patch would be close to
> trivial).
> [0] In practice, it won't be this trivial, as Master/Agent {{Flags}} are of a
> different compile-time type - probably use something like variadic templates
> or something (suggestions appreciated!).
> [1] In fact, the ideal solution would be to add the {{const Flags&}} to
> {{create()}}, but that would, alas, break everyone's modules; so that's
> probably a no-go (ideas welcome here too).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-4253) Provide a minimalist "runtime context" to an Anonymous Module
[
https://issues.apache.org/jira/browse/MESOS-4253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15095441#comment-15095441
]
Kapil Arya commented on MESOS-4253:
---
Sorry for missing it earlier. I'll go over the RR.
> Provide a minimalist "runtime context" to an Anonymous Module
> -
>
> Key: MESOS-4253
> URL: https://issues.apache.org/jira/browse/MESOS-4253
> Project: Mesos
> Issue Type: Improvement
> Components: modules
>Reporter: Marco Massenzio
>Assignee: Marco Massenzio
>
> Currently, {{Anonymous}} modules only receive at creation a copy of the
> {{"parameters"}} passed in the JSON configuration file.
> However, at runtime, it would be useful to also have a "runtime context" for
> the module developer to use, when implementing the functionality.
> I would suggest to pass in the {{Flags}} object from the Master/Agent inside
> an {{setRuntimeContext(const Flags&)}}[0] method, called immediately
> post-{{create(const Parameters&)}}[1].
> Also, I would suggest adding a {{teardown()}} method too, in case the module
> needs to release resources / conduct cleanup before exiting (there is a TODO
> in the code to this effect, and adding this in this patch would be close to
> trivial).
> [0] In practice, it won't be this trivial, as Master/Agent {{Flags}} are of a
> different compile-time type - probably use something like variadic templates
> or something (suggestions appreciated!).
> [1] In fact, the ideal solution would be to add the {{const Flags&}} to
> {{create()}}, but that would, alas, break everyone's modules; so that's
> probably a no-go (ideas welcome here too).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (MESOS-4253) Provide a minimalist "runtime context" to an Anonymous Module
[
https://issues.apache.org/jira/browse/MESOS-4253?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15072372#comment-15072372
]
Marco Massenzio commented on MESOS-4253:
[~karya] - would you mind terribly shepherding this one, please?
> Provide a minimalist "runtime context" to an Anonymous Module
> -
>
> Key: MESOS-4253
> URL: https://issues.apache.org/jira/browse/MESOS-4253
> Project: Mesos
> Issue Type: Improvement
> Components: modules
>Reporter: Marco Massenzio
>Assignee: Marco Massenzio
>
> Currently, {{Anonymous}} modules only receive at creation a copy of the
> {{"parameters"}} passed in the JSON configuration file.
> However, at runtime, it would be useful to also have a "runtime context" for
> the module developer to use, when implementing the functionality.
> I would suggest to pass in the {{Flags}} object from the Master/Agent inside
> an {{setRuntimeContext(const Flags&)}}[0] method, called immediately
> post-{{create(const Parameters&)}}[1].
> Also, I would suggest adding a {{teardown()}} method too, in case the module
> needs to release resources / conduct cleanup before exiting (there is a TODO
> in the code to this effect, and adding this in this patch would be close to
> trivial).
> [0] In practice, it won't be this trivial, as Master/Agent {{Flags}} are of a
> different compile-time type - probably use something like variadic templates
> or something (suggestions appreciated!).
> [1] In fact, the ideal solution would be to add the {{const Flags&}} to
> {{create()}}, but that would, alas, break everyone's modules; so that's
> probably a no-go (ideas welcome here too).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
