Thanks for the discussion so far. Rereading it has helped me understand the
relationship/overlap between these two proposals. Here are my thoughts.
TL;DR: Let's do both! Not specifying --roles (or ACLs) should mean that any
role can register. Let's also improve the /roles endpoint to
I'm reluctant to introduce multiple role management mechanisms because of
mainly two reasons: avoid spreading our efforts and avoid confusion for
operators (legacy roles, implicit roles, dynamic roles).
Another thing is that after talking to some folks, I realized that the
blocker right now is
My vote is +1 for implicit roles for simplicity. Also, it is true that
a blocker
right now is that we currently cannot add roles on the fly. This makes
features like quota and dynamic reservations a challenge to make use of.
I'm not sure why we need dynamic roles when we would have dynamic ACL's
Some design analyse between Implicit Roles and Dynamic Roles:
For Implicit Roles:
1. Does not need a specified endpoint for role management, but more
endpoints should be provided to manage role's related object, such as the
dynamic management for Weight, Grace Period (which is involved by
@Neil, My concern is that Implicit Roles and ACLs are independent
functions, ACLs is focus on the access control rather than prevent a
invalid role. For example, if the principal is incorrect, then
the authorization will also failed when register framework. In addition, as
you mean, Implicit roles
Hi All,
Currently, there are two proposals on how to improve role management in
Mesos:
(a) Dynamic roles (MESOS-3177): roles are stored in the registry
and queried/added/deleted/removed via HTTP endpoints. I posted a design doc
here:
On Mon, Nov 30, 2015 at 6:53 PM, YongQiao Wang wrote:
>> 1. Choosing a role name
>> 2. Configuring weights, ACLs, and quotas for the role.
>> 3. Configuring applications/frameworks to register using that role.
>
> [Yong Qiao] If applications/frameworks do not follow your