Re: Fw: Re: Dynamic vs. implicit roles

2015-12-04 Thread Adam Bordelon
Thanks for the discussion so far. Rereading it has helped me understand the relationship/overlap between these two proposals. Here are my thoughts. TL;DR: Let's do both! Not specifying --roles (or ACLs) should mean that any role can register. Let's also improve the /roles endpoint to

Re: Fw: Re: Dynamic vs. implicit roles

2015-12-04 Thread Alex Rukletsov
I'm reluctant to introduce multiple role management mechanisms because of mainly two reasons: avoid spreading our efforts and avoid confusion for operators (legacy roles, implicit roles, dynamic roles). Another thing is that after talking to some folks, I realized that the blocker right now is

Re: Fw: Re: Dynamic vs. implicit roles

2015-12-04 Thread Elizabeth Lingg
My vote is +1 for implicit roles for simplicity. Also, it is true that a blocker right now is that we currently cannot add roles on the fly. This makes features like quota and dynamic reservations a challenge to make use of. I'm not sure why we need dynamic roles when we would have dynamic ACL's

Re: Fw: Re: Dynamic vs. implicit roles

2015-12-01 Thread YongQiao Wang
Some design analyse between Implicit Roles and Dynamic Roles: For Implicit Roles: 1. Does not need a specified endpoint for role management, but more endpoints should be provided to manage role's related object, such as the dynamic management for Weight, Grace Period (which is involved by

Re: Fw: Re: Dynamic vs. implicit roles

2015-12-01 Thread YongQiao Wang
@Neil, My concern is that Implicit Roles and ACLs are independent functions, ACLs is focus on the access control rather than prevent a invalid role. For example, if the principal is incorrect, then the authorization will also failed when register framework. In addition, as you mean, Implicit roles

Fwd: Fw: Re: Dynamic vs. implicit roles

2015-11-30 Thread YongQiao Wang
Hi All, Currently, there are two proposals on how to improve role management in Mesos: (a) Dynamic roles (MESOS-3177): roles are stored in the registry and queried/added/deleted/removed via HTTP endpoints. I posted a design doc here:

Re: Fw: Re: Dynamic vs. implicit roles

2015-11-30 Thread Neil Conway
On Mon, Nov 30, 2015 at 6:53 PM, YongQiao Wang wrote: >> 1. Choosing a role name >> 2. Configuring weights, ACLs, and quotas for the role. >> 3. Configuring applications/frameworks to register using that role. > > [Yong Qiao] If applications/frameworks do not follow your