My vote is +1 for implicit roles for simplicity. Also, it is true that
a blocker
right now is that we currently cannot add roles on the fly. This makes
features like quota and dynamic reservations a challenge to make use of.
I'm not sure why we need dynamic roles when we would have dynamic ACL's fo
My vote is +1 for implicit roles for simplicity. Also, it is true that
a blocker
right now is that we currently cannot add roles on the fly. This makes
features like quota and dynamic reservations a challenge to make use of.
I'm not sure why we need dynamic roles when we would have dynamic ACL's fo
I'm reluctant to introduce multiple role management mechanisms because of
mainly two reasons: avoid spreading our efforts and avoid confusion for
operators (legacy roles, implicit roles, dynamic roles).
Another thing is that after talking to some folks, I realized that the
blocker right now is tha
Thanks for the discussion so far. Rereading it has helped me understand the
relationship/overlap between these two proposals. Here are my thoughts.
TL;DR: Let's do both! Not specifying --roles (or ACLs) should mean that any
role can register. Let's also improve the /roles endpoint to
update/remove
Some design analyse between Implicit Roles and Dynamic Roles:
For Implicit Roles:
1. Does not need a specified endpoint for role management, but more
endpoints should be provided to manage role's related object, such as the
dynamic management for Weight, Grace Period (which is involved by
Optimist
@Neil, My concern is that Implicit Roles and ACLs are independent
functions, ACLs is focus on the access control rather than prevent a
invalid role. For example, if the principal is incorrect, then
the authorization will also failed when register framework. In addition, as
you mean, Implicit roles
Honestly, I don't think those two features are conflict, so I re-raise this
into dev@list.
And regarding the n possibility/RoleManager plugin, there's also a user
case that customer would like to load security info from 3rd part
application as role info, e.g. LDAP, and framework can not modify the
Hi Klaus,
Thanks for your feedback.
On Mon, Nov 30, 2015 at 10:01 PM, Klaus Ma wrote:
> @Neil, just want to confirm about ACL, do you mean we will load role info
> from 3rd part application, e.g. LDAP?
I mean ACLs as in the authorization subsystem in Mesos:
https://mesos.apache.org/documentatio
On Mon, Nov 30, 2015 at 6:53 PM, YongQiao Wang wrote:
>> 1. Choosing a role name
>> 2. Configuring weights, ACLs, and quotas for the role.
>> 3. Configuring applications/frameworks to register using that role.
>
> [Yong Qiao] If applications/frameworks do not follow your rules, and
> register with
s have a further discussion to choose a better solution
> between
> > them, any comments and feedbacks would be very welcome!
> >
> > - Original message -
> > From: Yong Qiao Wang/China/IBM
> > To: n...@mesosphere.io
> > Cc: a...@mesosphere.io, b...@me
would be very welcome!
>
> - Original message -
> From: Yong Qiao Wang/China/IBM
> To: n...@mesosphere.io
> Cc: a...@mesosphere.io, b...@mesosphere.io, Qian AZ Zhang/China/IBM@IBMCN,
> yongf...@ca.ibm.com, jamesyongq...@gmail.com
> Subject: Re: Dynamic vs. implicit ro
be very welcome!
- Original message -
From: Yong Qiao Wang/China/IBM
To: n...@mesosphere.io
Cc: a...@mesosphere.io, b...@mesosphere.io, Qian AZ Zhang/China/IBM@IBMCN,
yongf...@ca.ibm.com, jamesyongq...@gmail.com
Subject: Re: Dynamic vs. implicit roles
Date: Tue, Dec 1, 2015 10:27 AM
Thanks Neil.
12 matches
Mail list logo