Hi Charles,
> > We've been contemplating using Mesos at the company I work for. > > Basically we would be writing our own framework, and various users > > would submit jobs to it. > > However a remaining problem to us is the security model: anyone which > > is allowed to connect to the Mesos cluster can start tasks as any user > > - by setting the "user" in the CommandInfo. Which means that the whole > > framework code would basically have to be trusted, which would be > > problematic for various reasons. > > Is there no better way to ensure that a task is actually executed by > > the submitting user? > I don't completely follow your threat model. Are you concerned that a malicious user can connect to Mesos as a framework and launch tasks? You can restrict which principal can connect to Mesos as a framework using the `register_frameworks` ACL and the built-in authorizer. See the authorization documentation here <http://mesos.apache.org/documentation/latest/authorization/>. There's also a `run_tasks` ACL that you could leverage to restrict which OS users a framework can run tasks as. To authenticate a given principal you could use the built-in authenticator. If the built-in authenticator/authorizer turn out to be too basic for your use case, I would recommend writing your authorizer/authenticator module to plugin in to your company's security infrastructure. HTH,
