incubator-mesos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matei Zaharia (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MESOS-52) allow toggling switch_user on a per-framework basis
Date Fri, 28 Oct 2011 06:54:33 GMT

    [ https://issues.apache.org/jira/browse/MESOS-52?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13138127#comment-13138127
] 

Matei Zaharia commented on MESOS-52:
------------------------------------

Is the concern that some users will accidentally submit their framework as root? In that case
it does seem that a separate permissions system through a PKI is needed. Otherwise, I was
just saying that if root submits the "run as root" frameworks and switch_user is on, those
frameworks will still run as root (as far as I know).
                
> allow toggling switch_user on a per-framework basis
> ---------------------------------------------------
>
>                 Key: MESOS-52
>                 URL: https://issues.apache.org/jira/browse/MESOS-52
>             Project: Mesos
>          Issue Type: Improvement
>            Reporter: brian wickman
>            Priority: Minor
>
> It would be handy if you could effectively enforce switch_user on a per-framework basis
rather on a per-slave basis.
> For example, I can imagine running an entire cluster of slaves as root, which by default
runs executors as the users via switch_user, but then a class of trusted frameworks privileged
to run as root (e.g. operations frameworks, or ones that require LVM mounts and such, and
to whom we'd delegate the responsibility of setuiding.)
> You could have the master manage a set of secrets, and the frameworks would connect to
the master using a PKI protocol.  You could even go a step further and encrypt framework messages
for those privileged frameworks.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message