[jira] [Commented] (MESOS-8306) Restrict which agents can statically reserve resources for which roles

2017-12-13 Thread James Peach (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-8306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16289761#comment-16289761
 ] 

James Peach commented on MESOS-8306:


This approach depends on all the agents in a specific class registering with 
the same principal, right? That seems like a bad idea.

> Restrict which agents can statically reserve resources for which roles
> --
>
> Key: MESOS-8306
> URL: https://issues.apache.org/jira/browse/MESOS-8306
> Project: Mesos
>  Issue Type: Improvement
>Reporter: Yan Xu
>Assignee: Yan Xu
>
> In some use cases part of a Mesos cluster could be reserved for certain 
> frameworks/roles. A common approach is to use static reservation so the 
> resources of an agent are only offered to frameworks of the designated roles. 
> However without proper authorization any (compromised) agent can register 
> with these special roles and accept workload from these frameworks.
> We can enhance the {{RegisterAgent}} ACL to express: agent principal {{foo}} 
> is allowed to register with static reservation roles {{bar, baz}}; no other 
> principals are allowed to register with static reservation roles {{bar, baz}}.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (MESOS-8306) Restrict which agents can statically reserve resources for which roles

2017-12-11 Thread Yan Xu (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-8306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16286429#comment-16286429
 ] 

Yan Xu commented on MESOS-8306:
---

After investigating it I found that it makes more sense of reuse the 
{{ReserveResources}} ACL for static reservations in the process of authorizing 
the agent. This ACL clearer in its intention to authorize reservations and its 
implementation and semantics don't rule out static reservations. We can think 
of the agent as the subject that requests to the master to reserve resources. 
i.e., setting {{--resources}} flags on the agent doesn't make it final w.r.t 
static reservations until the master approves it.

Do you see any problems with this approach [~arojas] [~mcypark] 
[~jpe...@apache.org]

> Restrict which agents can statically reserve resources for which roles
> --
>
> Key: MESOS-8306
> URL: https://issues.apache.org/jira/browse/MESOS-8306
> Project: Mesos
>  Issue Type: Improvement
>Reporter: Yan Xu
>Assignee: Yan Xu
>
> In some use cases part of a Mesos cluster could be reserved for certain 
> frameworks/roles. A common approach is to use static reservation so the 
> resources of an agent are only offered to frameworks of the designated roles. 
> However without proper authorization any (compromised) agent can register 
> with these special roles and accept workload from these frameworks.
> We can enhance the {{RegisterAgent}} ACL to express: agent principal {{foo}} 
> is allowed to register with static reservation roles {{bar, baz}}; no other 
> principals are allowed to register with static reservation roles {{bar, baz}}.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (MESOS-8306) Restrict which agents can statically reserve resources for which roles

2017-12-11 Thread Yan Xu (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-8306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16286750#comment-16286750
 ] 

Yan Xu commented on MESOS-8306:
---

So in order to authorize the static reservations, the master would be 
configured to use the {{reserve_resources}} ACL against the agent's principal 
like this:

{code:title=}
"register_agents": [
{
  "principals": { "values": ["low-security-agent", "high-security-agent"] },
  "agents": { "type": "ANY" }
},
{
  "principals": { "type": "ANY" },
  "agents": { "type": "NONE" }
}
  ],
  "reserve_resources": [
{
  "principals": { "values": ["high-security-agent"] },
  "roles": { "type": "high-security-role" }
},
{
  "principals": { "type": "NONE" },
  "roles": { "type": "high-security-role" }
}
  ]
{code}

As part of agent registration, both of the two ACLs are going to be checked.

If a {{low-security-agent}} principal is comprised, it cannot reserve resources 
of the {{high-security-role}} role.

> Restrict which agents can statically reserve resources for which roles
> --
>
> Key: MESOS-8306
> URL: https://issues.apache.org/jira/browse/MESOS-8306
> Project: Mesos
>  Issue Type: Improvement
>Reporter: Yan Xu
>Assignee: Yan Xu
>
> In some use cases part of a Mesos cluster could be reserved for certain 
> frameworks/roles. A common approach is to use static reservation so the 
> resources of an agent are only offered to frameworks of the designated roles. 
> However without proper authorization any (compromised) agent can register 
> with these special roles and accept workload from these frameworks.
> We can enhance the {{RegisterAgent}} ACL to express: agent principal {{foo}} 
> is allowed to register with static reservation roles {{bar, baz}}; no other 
> principals are allowed to register with static reservation roles {{bar, baz}}.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (MESOS-8306) Restrict which agents can statically reserve resources for which roles

2017-12-11 Thread James Peach (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-8306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16286509#comment-16286509
 ] 

James Peach commented on MESOS-8306:


That generally sounds reasonable to me. I expect you want to mirror this into 
{{UnreserveResources}} for consistency. Think about how this could be extended, 
e.g. reserve only {{disk}} or {{cpu}} resources.

> Restrict which agents can statically reserve resources for which roles
> --
>
> Key: MESOS-8306
> URL: https://issues.apache.org/jira/browse/MESOS-8306
> Project: Mesos
>  Issue Type: Improvement
>Reporter: Yan Xu
>Assignee: Yan Xu
>
> In some use cases part of a Mesos cluster could be reserved for certain 
> frameworks/roles. A common approach is to use static reservation so the 
> resources of an agent are only offered to frameworks of the designated roles. 
> However without proper authorization any (compromised) agent can register 
> with these special roles and accept workload from these frameworks.
> We can enhance the {{RegisterAgent}} ACL to express: agent principal {{foo}} 
> is allowed to register with static reservation roles {{bar, baz}}; no other 
> principals are allowed to register with static reservation roles {{bar, baz}}.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)