[jira] [Updated] (MESOS-3065) Add framework authorization for persistent volume
[ https://issues.apache.org/jira/browse/MESOS-3065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Mann updated MESOS-3065: - Description: This is the third in a series of tickets that adds authorization support to persistent volumes. When a framework creates a persistent volume, "create" ACLs are checked to see if the framework (FrameworkInfo.principal) or the operator (Credential.user) is authorized to create persistent volumes. If not authorized, the create operation is rejected. When a framework destroys a persistent volume, "destroy" ACLs are checked to see if the framework (FrameworkInfo.principal) or the operator (Credential.user) is authorized to destroy the persistent volume created by a framework or operator (Resource.DiskInfo.principal). If not authorized, the destroy operation is rejected. A separate ticket will use the structures created here to enable authorization of the "/create" and "/destroy" HTTP endpoints: https://issues.apache.org/jira/browse/MESOS-3903 was: Persistent volume should be authorized with the {{principal}} of the reserving entity (framework or master). The idea is to introduce {{Create}} and {{Destroy}} into the ACL. {code} message Create { // Subjects. required Entity principals = 1; // Objects? Perhaps the kind of volume? allowed permissions? } message Destroy { // Subjects. required Entity principals = 1; // Objects. required Entity creator_principals = 2; } {code} When a framework creates a persistent volume, "create" ACLs are checked to see if the framework (FrameworkInfo.principal) or the operator (Credential.user) is authorized to create persistent volumes. If not authorized, the create operation is rejected. When a framework destroys a persistent volume, "destroy" ACLs are checked to see if the framework (FrameworkInfo.principal) or the operator (Credential.user) is authorized to destroy the persistent volume created by a framework or operator (Resource.DiskInfo.principal). If not authorized, the destroy operation is rejected. A separate ticket will use the structures created here to enable authorization of the "/create" and "/destroy" HTTP endpoints: https://issues.apache.org/jira/browse/MESOS-3903 > Add framework authorization for persistent volume > - > > Key: MESOS-3065 > URL: https://issues.apache.org/jira/browse/MESOS-3065 > Project: Mesos > Issue Type: Task >Reporter: Michael Park >Assignee: Greg Mann > Labels: mesosphere, persistent-volumes > > This is the third in a series of tickets that adds authorization support to > persistent volumes. > When a framework creates a persistent volume, "create" ACLs are checked to > see if the framework (FrameworkInfo.principal) or the operator > (Credential.user) is authorized to create persistent volumes. If not > authorized, the create operation is rejected. > When a framework destroys a persistent volume, "destroy" ACLs are checked to > see if the framework (FrameworkInfo.principal) or the operator > (Credential.user) is authorized to destroy the persistent volume created by a > framework or operator (Resource.DiskInfo.principal). If not authorized, the > destroy operation is rejected. > A separate ticket will use the structures created here to enable > authorization of the "/create" and "/destroy" HTTP endpoints: > https://issues.apache.org/jira/browse/MESOS-3903 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (MESOS-3065) Add framework authorization for persistent volume
[ https://issues.apache.org/jira/browse/MESOS-3065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Marco Massenzio updated MESOS-3065: --- Sprint: Mesosphere Sprint 16, Mesosphere Sprint 22, Mesosphere Sprint 23 (was: Mesosphere Sprint 16, Mesosphere Sprint 22) > Add framework authorization for persistent volume > - > > Key: MESOS-3065 > URL: https://issues.apache.org/jira/browse/MESOS-3065 > Project: Mesos > Issue Type: Task >Reporter: Michael Park >Assignee: Greg Mann > Labels: mesosphere, persistent-volumes > > Persistent volume should be authorized with the {{principal}} of the > reserving entity (framework or master). The idea is to introduce {{Create}} > and {{Destroy}} into the ACL. > {code} > message Create { > // Subjects. > required Entity principals = 1; > // Objects? Perhaps the kind of volume? allowed permissions? > } > message Destroy { > // Subjects. > required Entity principals = 1; > // Objects. > required Entity creator_principals = 2; > } > {code} > When a framework creates a persistent volume, "create" ACLs are checked to > see if the framework (FrameworkInfo.principal) or the operator > (Credential.user) is authorized to create persistent volumes. If not > authorized, the create operation is rejected. > When a framework destroys a persistent volume, "destroy" ACLs are checked to > see if the framework (FrameworkInfo.principal) or the operator > (Credential.user) is authorized to destroy the persistent volume created by a > framework or operator (Resource.DiskInfo.principal). If not authorized, the > destroy operation is rejected. > A separate ticket will use the structures created here to enable > authorization of the "/create" and "/destroy" HTTP endpoints: > https://issues.apache.org/jira/browse/MESOS-3903 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (MESOS-3065) Add framework authorization for persistent volume
[ https://issues.apache.org/jira/browse/MESOS-3065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Marco Massenzio updated MESOS-3065: --- Sprint: Mesosphere Sprint 16, Mesosphere Sprint 22 (was: Mesosphere Sprint 16, Mesosphere Sprint 22, Mesosphere Sprint 23) > Add framework authorization for persistent volume > - > > Key: MESOS-3065 > URL: https://issues.apache.org/jira/browse/MESOS-3065 > Project: Mesos > Issue Type: Task >Reporter: Michael Park >Assignee: Greg Mann > Labels: mesosphere, persistent-volumes > > Persistent volume should be authorized with the {{principal}} of the > reserving entity (framework or master). The idea is to introduce {{Create}} > and {{Destroy}} into the ACL. > {code} > message Create { > // Subjects. > required Entity principals = 1; > // Objects? Perhaps the kind of volume? allowed permissions? > } > message Destroy { > // Subjects. > required Entity principals = 1; > // Objects. > required Entity creator_principals = 2; > } > {code} > When a framework creates a persistent volume, "create" ACLs are checked to > see if the framework (FrameworkInfo.principal) or the operator > (Credential.user) is authorized to create persistent volumes. If not > authorized, the create operation is rejected. > When a framework destroys a persistent volume, "destroy" ACLs are checked to > see if the framework (FrameworkInfo.principal) or the operator > (Credential.user) is authorized to destroy the persistent volume created by a > framework or operator (Resource.DiskInfo.principal). If not authorized, the > destroy operation is rejected. > A separate ticket will use the structures created here to enable > authorization of the "/create" and "/destroy" HTTP endpoints: > https://issues.apache.org/jira/browse/MESOS-3903 -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (MESOS-3065) Add framework authorization for persistent volume
[ https://issues.apache.org/jira/browse/MESOS-3065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Greg Mann updated MESOS-3065: - Description: Persistent volume should be authorized with the {{principal}} of the reserving entity (framework or master). The idea is to introduce {{Create}} and {{Destroy}} into the ACL. {code} message Create { // Subjects. required Entity principals = 1; // Objects? Perhaps the kind of volume? allowed permissions? } message Destroy { // Subjects. required Entity principals = 1; // Objects. required Entity creator_principals = 2; } {code} When a framework creates a persistent volume, "create" ACLs are checked to see if the framework (FrameworkInfo.principal) or the operator (Credential.user) is authorized to create persistent volumes. If not authorized, the create operation is rejected. When a framework destroys a persistent volume, "destroy" ACLs are checked to see if the framework (FrameworkInfo.principal) or the operator (Credential.user) is authorized to destroy the persistent volume created by a framework or operator (Resource.DiskInfo.principal). If not authorized, the destroy operation is rejected. A separate ticket will use the structures created here to enable authorization of the "/create" and "/destroy" HTTP endpoints: https://issues.apache.org/jira/browse/MESOS-3903 was: Persistent volume should be authorized with the {{principal}} of the reserving entity (framework or master). The idea is to introduce {{Create}} and {{Destroy}} into the ACL. {code} message Create { // Subjects. required Entity principals = 1; // Objects? Perhaps the kind of volume? allowed permissions? } message Destroy { // Subjects. required Entity principals = 1; // Objects. required Entity creator_principals = 2; } {code} When a framework/operator creates a persistent volume, "create" ACLs are checked to see if the framework (FrameworkInfo.principal) or the operator (Credential.user) is authorized to create persistent volumes. If not authorized, the create operation is rejected. When a framework/operator destroys a persistent volume, "destroy" ACLs are checked to see if the framework (FrameworkInfo.principal) or the operator (Credential.user) is authorized to destroy the persistent volume created by a framework or operator (Resource.DiskInfo.principal). If not authorized, the destroy operation is rejected. > Add framework authorization for persistent volume > - > > Key: MESOS-3065 > URL: https://issues.apache.org/jira/browse/MESOS-3065 > Project: Mesos > Issue Type: Task >Reporter: Michael Park >Assignee: Greg Mann > Labels: mesosphere, persistent-volumes > > Persistent volume should be authorized with the {{principal}} of the > reserving entity (framework or master). The idea is to introduce {{Create}} > and {{Destroy}} into the ACL. > {code} > message Create { > // Subjects. > required Entity principals = 1; > // Objects? Perhaps the kind of volume? allowed permissions? > } > message Destroy { > // Subjects. > required Entity principals = 1; > // Objects. > required Entity creator_principals = 2; > } > {code} > When a framework creates a persistent volume, "create" ACLs are checked to > see if the framework (FrameworkInfo.principal) or the operator > (Credential.user) is authorized to create persistent volumes. If not > authorized, the create operation is rejected. > When a framework destroys a persistent volume, "destroy" ACLs are checked to > see if the framework (FrameworkInfo.principal) or the operator > (Credential.user) is authorized to destroy the persistent volume created by a > framework or operator (Resource.DiskInfo.principal). If not authorized, the > destroy operation is rejected. > A separate ticket will use the structures created here to enable > authorization of the "/create" and "/destroy" HTTP endpoints: > https://issues.apache.org/jira/browse/MESOS-3903 -- This message was sent by Atlassian JIRA (v6.3.4#6332)