[jira] [Comment Edited] (MESOS-8306) Restrict which agents can statically reserve resources for which roles
[ https://issues.apache.org/jira/browse/MESOS-8306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16286857#comment-16286857 ] Yan Xu edited comment on MESOS-8306 at 12/12/17 12:35 AM: -- https://reviews.apache.org/r/64514 https://reviews.apache.org/r/64515 https://reviews.apache.org/r/64516 was (Author: xujyan): {noformat:title=} https://reviews.apache.org/r/64514 https://reviews.apache.org/r/64515 https://reviews.apache.org/r/64516 {noformat} > Restrict which agents can statically reserve resources for which roles > -- > > Key: MESOS-8306 > URL: https://issues.apache.org/jira/browse/MESOS-8306 > Project: Mesos > Issue Type: Improvement >Reporter: Yan Xu >Assignee: Yan Xu > > In some use cases part of a Mesos cluster could be reserved for certain > frameworks/roles. A common approach is to use static reservation so the > resources of an agent are only offered to frameworks of the designated roles. > However without proper authorization any (compromised) agent can register > with these special roles and accept workload from these frameworks. > We can enhance the {{RegisterAgent}} ACL to express: agent principal {{foo}} > is allowed to register with static reservation roles {{bar, baz}}; no other > principals are allowed to register with static reservation roles {{bar, baz}}. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (MESOS-8306) Restrict which agents can statically reserve resources for which roles
[ https://issues.apache.org/jira/browse/MESOS-8306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16286509#comment-16286509 ] James Peach edited comment on MESOS-8306 at 12/11/17 9:26 PM: -- Can you be more specific about the proposal? I can't match your description up to the ACLs docs. was (Author: jamespeach): That generally sounds reasonable to me. I expect you want to mirror this into {{UnreserveResources}} for consistency. Think about how this could be extended, e.g. reserve only {{disk}} or {{cpu}} resources. > Restrict which agents can statically reserve resources for which roles > -- > > Key: MESOS-8306 > URL: https://issues.apache.org/jira/browse/MESOS-8306 > Project: Mesos > Issue Type: Improvement >Reporter: Yan Xu >Assignee: Yan Xu > > In some use cases part of a Mesos cluster could be reserved for certain > frameworks/roles. A common approach is to use static reservation so the > resources of an agent are only offered to frameworks of the designated roles. > However without proper authorization any (compromised) agent can register > with these special roles and accept workload from these frameworks. > We can enhance the {{RegisterAgent}} ACL to express: agent principal {{foo}} > is allowed to register with static reservation roles {{bar, baz}}; no other > principals are allowed to register with static reservation roles {{bar, baz}}. -- This message was sent by Atlassian JIRA (v6.4.14#64029)