[jira] [Commented] (MESOS-4591) `/reserve` endpoint allows reservations for any role

2016-02-12 Thread Neil Conway (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-4591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15145035#comment-15145035
 ] 

Neil Conway commented on MESOS-4591:


Note that the same issue applies to the {{/create-volumes}} endpoint as well.

> `/reserve` endpoint allows reservations for any role
> 
>
> Key: MESOS-4591
> URL: https://issues.apache.org/jira/browse/MESOS-4591
> Project: Mesos
>  Issue Type: Bug
>Affects Versions: 0.27.0
>Reporter: Greg Mann
>  Labels: mesosphere, reservations
>
> When frameworks reserve resources, the validation of the operation ensures 
> that the {{role}} of the reservation matches the {{role}} of the framework. 
> For the case of the {{/reserve}} operator endpoint, however, the operator has 
> no role to validate, so this check isn't performed.
> This means that if an ACL exists which authorizes a framework's principal to 
> reserve resources, that same principal can be used to reserve resources for 
> _any_ role through the operator endpoint.
> We should restrict reservations made through the operator endpoint to 
> specified roles. A few possibilities:
> * The {{object}} of the {{reserve_resources}} ACL could be changed from 
> {{resources}} to {{roles}}
> * A second ACL could be added for authorization of {{reserve}} operations, 
> with an {{object}} of {{role}}
> * Our conception of the {{resources}} object in the {{reserve_resources}} ACL 
> could be expanded to include role information, i.e., 
> {{disk(role1);mem(role1)}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-4591) `/reserve` endpoint allows reservations for any role

2016-02-09 Thread Guangya Liu (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-4591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15139033#comment-15139033
 ] 

Guangya Liu commented on MESOS-4591:


Thanks [~greggomann] for the detailed explanation! 

For your proposals, for 1), if the object of the reserve_resources ACL could be 
changed from resources to roles, then there will be no entry for resources, 
does the endpoint for reservation still works?

In my understanding, I think that 3) might be better, extend the 
reserve_resources ACL include role information,  but my thinking of including 
role info is as following, what do you say? Thanks.

{code}
{
  "permissive": false,
  "reserve_resources": [
 {
 "principals": {
 "values": ["foo"]
  },
  "resources": {
  "type": "ANY"
  },
  "roles": {
"values": ["r1", "r2"]
  }
  }
   ]
 }
{code}

> `/reserve` endpoint allows reservations for any role
> 
>
> Key: MESOS-4591
> URL: https://issues.apache.org/jira/browse/MESOS-4591
> Project: Mesos
>  Issue Type: Bug
>Affects Versions: 0.27.0
>Reporter: Greg Mann
>  Labels: mesosphere, reservations
>
> When frameworks reserve resources, the validation of the operation ensures 
> that the {{role}} of the reservation matches the {{role}} of the framework. 
> For the case of the {{/reserve}} operator endpoint, however, the operator has 
> no role to validate, so this check isn't performed.
> This means that if an ACL exists which authorizes a framework's principal to 
> reserve resources, that same principal can be used to reserve resources for 
> _any_ role through the operator endpoint.
> We should restrict reservations made through the operator endpoint to 
> specified roles. A few possibilities:
> * The {{object}} of the {{reserve_resources}} ACL could be changed from 
> {{resources}} to {{roles}}
> * A second ACL could be added for authorization of {{reserve}} operations, 
> with an {{object}} of {{role}}
> * Our conception of the {{resources}} object in the {{reserve_resources}} ACL 
> could be expanded to include role information, i.e., 
> {{disk(role1);mem(role1)}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-4591) `/reserve` endpoint allows reservations for any role

2016-02-08 Thread Greg Mann (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-4591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15137194#comment-15137194
 ] 

Greg Mann commented on MESOS-4591:
--

[~gyliu], the problem is that the behavior of the {{/reserve}} endpoint is 
different than the behavior of {{RESERVE}} operations from frameworks. This 
makes it possible for a datacenter operator to set ACLs for frameworks which 
assume that they will only be able to reserve resources for their own role, 
while those same principals can then reserve resources through the {{/reserve}} 
endpoint for any role. The difference in behavior between these two methods of 
making reservations makes the authorization process more confusing, and thus 
less secure.

Perhaps we will want to establish a distinction between authorization for 
operator endpoints and authorization for frameworks. Currently, authentication 
and authorization for both of these is based on the same set of credentials and 
ACLs, but maybe we should treat them differently. For example, it makes sense 
to limit frameworks to only reserve resources for their own role, but it also 
makes sense to authorize principals to reserve for particular roles (and not 
for others) through the {{/reserve}} endpoint.

With regard to the {{/create-volumes}} endpoint, the difference there is that 
an operator can only create volumes using resources that have already been 
reserved for a particular role. You raise a good point, and perhaps we should 
restrict the creation of volumes to certain roles as well. However, that case 
seems less harmful to me since the operator can't create any persistent volume 
for any arbitrary role, they can only create volumes on disk resources that 
have already been reserved for a particular role.

> `/reserve` endpoint allows reservations for any role
> 
>
> Key: MESOS-4591
> URL: https://issues.apache.org/jira/browse/MESOS-4591
> Project: Mesos
>  Issue Type: Bug
>Affects Versions: 0.27.0
>Reporter: Greg Mann
>  Labels: mesosphere, reservations
>
> When frameworks reserve resources, the validation of the operation ensures 
> that the {{role}} of the reservation matches the {{role}} of the framework. 
> For the case of the {{/reserve}} operator endpoint, however, the operator has 
> no role to validate, so this check isn't performed.
> This means that if an ACL exists which authorizes a framework's principal to 
> reserve resources, that same principal can be used to reserve resources for 
> _any_ role through the operator endpoint.
> We should restrict reservations made through the operator endpoint to 
> specified roles. A few possibilities:
> * The {{object}} of the {{reserve_resources}} ACL could be changed from 
> {{resources}} to {{roles}}
> * A second ACL could be added for authorization of {{reserve}} operations, 
> with an {{object}} of {{role}}
> * Our conception of the {{resources}} object in the {{reserve_resources}} ACL 
> could be expanded to include role information, i.e., 
> {{disk(role1);mem(role1)}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-4591) `/reserve` endpoint allows reservations for any role

2016-02-06 Thread Guangya Liu (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-4591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15135713#comment-15135713
 ] 

Guangya Liu commented on MESOS-4591:


[~greggomann] what is the problem if /reserve endpoint allows reservations for 
any role? I think that the /create endpoint also allows to create persistent 
volume for any role.

> `/reserve` endpoint allows reservations for any role
> 
>
> Key: MESOS-4591
> URL: https://issues.apache.org/jira/browse/MESOS-4591
> Project: Mesos
>  Issue Type: Bug
>Affects Versions: 0.27.0
>Reporter: Greg Mann
>  Labels: mesosphere, reservations
>
> When frameworks reserve resources, the validation of the operation ensures 
> that the {{role}} of the reservation matches the {{role}} of the framework. 
> For the case of the {{/reserve}} operator endpoint, however, the operator has 
> no role to validate, so this check isn't performed.
> This means that if an ACL exists which authorizes a framework's principal to 
> reserve resources, that same principal can be used to reserve resources for 
> _any_ role through the operator endpoint.
> We should restrict reservations made through the operator endpoint to 
> specified roles. A few possibilities:
> * The {{object}} of the {{reserve_resources}} ACL could be changed from 
> {{resources}} to {{roles}}
> * A second ACL could be added for authorization of {{reserve}} operations, 
> with an {{object}} of {{role}}
> * Our conception of the {{resources}} object in the {{reserve_resources}} ACL 
> could be expanded to include role information, i.e., 
> {{disk(role1);mem(role1)}}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)