Hi John, I believe what you're attempting to do should be supported. Try reserving the resources with "principal = prod" and "role = dev". That will mean that the dev role will be allowed to use the resources, but only principals that are allowed to unreserve prod's resources (as configured by the ACLs) will be allowed to unreserve them. So in a typical configuration, your admin role (prod) will be able to reserve resources for your user role (dev), but dev won't be able to reserve resources for themselves.
Let me know if that makes sense. I opened a ticket to improve the documentation in this area [1]. Best, Neil [1] https://issues.apache.org/jira/browse/MESOS-4452 On Thu, Jan 21, 2016 at 8:30 AM, John Omernik <[email protected]> wrote: > Hey all, I am trying to come up with a process that I can say "I am running > as "prod" principal, I connect to the reserve endpoint, and I make a request > for X CPU, Y Mem,, for the "dev role and usable by the "dev" principal. > > I feel like that I should be able to reserve that out, i.e. as a prod > principal in mesos, I should be able to say ok. I am setting aside x > resources for role dev, principal dev. > > However, I get a error that says "Invalid RESERVE operation: The reserved > resource's principal 'devprin' does not match the principal 'prodprin' (I am > making the request and basic authing as prod. > > What it comes down to, is I understand the message, that the principals > don't match, but I actually want it setup so that dev can't reserve > resources. Only prod can, and prod can reserve it FOR dev to use, and once > the resources are allocated to dev, they can then use them and control them. > But they shouldn't be able to reserve them. Does that makes sense? > > Thoughts or questions?
