Mesos ACL User

Tue, 08 Dec 2015 08:14:38 -0800 

In crafting my ACLs, I found that I would like to have a situation where
groups were used instead of just user... i.e. if I have a certain frame,
perhaps a dev instance of Marathon, I want folks in the dev group to all be
able to to run frameworks as themselves.  Right now,  have a principal that
can run in any role and with any user, prn_prodcontrol. That works for me.
Then I have a principal that is my devcontrol.  So I register dev Marathon
with that, and now anyone who has my credentials for the dev marathon, can
submit marathon jobs, which is cool, however, they can only do it as
unixdevuser, which is my unix user on every box... that's cool too. Also,
the marathondev framework can only operate in the dev role.


{
 "register_frameworks": [
  { "principals": { "values": ["prn_prodcontrol"] }, "roles": { "type":
"ANY"}},
  { "principals": { "values": ["prn_devcontrol"] }, "roles": {"values":
["dev"]}}
  ]
 "run_tasks": [
  { "principals": { "values": ["prn_prodcontrol"] }, "users": { "type":
"ANY"}},
  { "principals": { "values": ["prn_devcontrol"] }, "users": {"values":
["unixdevuser"]}}
]
}


What would be ideal is if I have a group marathondevgrp (unix group on all
nodes) and then I register the marathondev framework with principle
prn_devcontrol, having an ACL that stated...


{
 "register_frameworks": [
  { "principals": { "values": ["prn_prodcontrol"] }, "roles": { "type":
"ANY"}},
  { "principals": { "values": ["prn_devcontrol"] }, "roles": {"values":
["dev"]}}
  ]
 "run_tasks": [
  { "principals": { "values": ["prn_prodcontrol"] }, "users": { "type":
"ANY"}},
  { "principals": { "values": ["prn_devcontrol"] }, "users": {"values":
["marathondevgrp"]}}
]
}

That it would allow a task to run in the devmarathon as any unix user in
that group. This would allow me to have dev users run frameworks as
themselves (for data access control on my shared filesystem) and still have
the freedom to submit to marathon (dev).


So does ACLs support groups? Is this something that would be difficult to
add?  Thoughts about other approach to achieve similar results?

Thanks!

John

Reply via email to