mesos-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ji...@apache.org
Subject [4/4] mesos git commit: Added documentation for RESERVE, UNRESERVE, CREATE, and DESTROY authorization.
Date Sat, 19 Dec 2015 01:16:41 GMT
Added documentation for RESERVE, UNRESERVE, CREATE, and DESTROY
authorization.

Review: https://reviews.apache.org/r/40271/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/08b5b10d
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/08b5b10d
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/08b5b10d

Branch: refs/heads/master
Commit: 08b5b10d8f5dffe479331ae51b533e8924c4c090
Parents: ac4a568
Author: Greg Mann <greg@mesosphere.io>
Authored: Fri Dec 18 17:08:22 2015 -0800
Committer: Jie Yu <yujie.jay@gmail.com>
Committed: Fri Dec 18 17:08:22 2015 -0800

----------------------------------------------------------------------
 docs/authorization.md     | 14 ++++++++++++--
 docs/persistent-volume.md |  6 ++++--
 docs/reservation.md       | 10 ++++++----
 3 files changed, 22 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/08b5b10d/docs/authorization.md
----------------------------------------------------------------------
diff --git a/docs/authorization.md b/docs/authorization.md
index 0b108bf..9009228 100644
--- a/docs/authorization.md
+++ b/docs/authorization.md
@@ -10,6 +10,8 @@ Authorization currently allows
  2. Frameworks to launch tasks/executors as authorized _users_.
  3. Authorized _principals_ to shutdown frameworks through the "/teardown" HTTP endpoint.
  4. Authorized _principals_ to set quotas through the "/quota" HTTP endpoint.
+ 5. Authorized _principals_ to reserve and unreserve resources through the "/reserve" and
"/unreserve" HTTP endpoints, as well as with the `RESERVE` and `UNRESERVE` offer operations.
+ 6. Authorized _principals_ to create and destroy persistent volumes through the `CREATE`
and `DESTROY` offer operations.
 
 
 ## ACLs
@@ -24,18 +26,26 @@ The currently supported `Actions` are:
 2. "run_tasks": Run tasks/executors
 3. "shutdown_frameworks": Shutdown frameworks
 4. "set_quotas": Set quotas
+5. "reserve_resources": Reserve resources
+6. "unreserve_resources": Unreserve resources
+7. "create_volumes": Create persistent volumes
+8. "destroy_volumes": Destroy persistent volumes
 
 The currently supported `Subjects` are:
 
 1. "principals"
-	- Framework principals (used by "register_frameworks" and "run_tasks" actions)
-	- Usernames (used by "shutdown_frameworks" and "set_quotas" actions)
+	- Framework principals (used by "register_frameworks", "run_tasks", "reserve", "unreserve",
"create_volumes", and "destroy_volumes" actions)
+	- Usernames (used by "shutdown_frameworks", "set_quotas", "reserve", "unreserve", "create_volumes",
and "destroy_volumes" actions)
 
 The currently supported `Objects` are:
 
 1. "roles": Resource [roles](roles.md) that framework can register with (used by "register_frameworks"
and "set_quotas" actions)
 2. "users": Unix user to launch the task/executor as (used by "run_tasks" actions)
 3. "framework_principals": Framework principals that can be shutdown by HTTP POST (used by
"shutdown_frameworks" actions).
+4. "resources": Resources that can be reserved. Currently the only types considered by the
default authorizer are `ANY` and `NONE` (used by "reserves" action).
+5. "reserver_principals": Framework principals whose reserved resources can be unreserved
(used by "unreserves" action).
+6. "volume_types": Types of volumes that can be created by a given principal. Currently the
only types considered by the default authorizer are `ANY` and `NONE` (used by "create_volumes"
action).
+7. "creator_principals": Principals whose persistent volumes can be destroyed (used by "destroy_volumes"
action).
 
 > NOTE: Both `Subjects` and `Objects` can be either an array of strings or one of the
special values `ANY` or `NONE`.
 

http://git-wip-us.apache.org/repos/asf/mesos/blob/08b5b10d/docs/persistent-volume.md
----------------------------------------------------------------------
diff --git a/docs/persistent-volume.md b/docs/persistent-volume.md
index cf7a6bb..766e62a 100644
--- a/docs/persistent-volume.md
+++ b/docs/persistent-volume.md
@@ -27,8 +27,10 @@ regarding reservation mechanisms available in Mesos.
 
 Persistent volumes can be created by __operators__ and authorized
 __frameworks__. We require a `principal` from the operator or framework in order
-to authenticate/authorize the operations. [Authorization](authorization.md) is
-specified via the existing ACL mechanism. (___Coming Soon___)
+to authenticate/authorize the operations. Permissions are specified via the
+existing ACL mechanism. To use authorization with reserve/unreserve operations,
+the Mesos master must be configured with the desired ACLs. For more information,
+see the [authorization documentation](authorization.md).
 
 * `Offer::Operation::Create` and `Offer::Operation::Destroy` messages are
   available for __frameworks__ to send back via the `acceptOffers` API as a

http://git-wip-us.apache.org/repos/asf/mesos/blob/08b5b10d/docs/reservation.md
----------------------------------------------------------------------
diff --git a/docs/reservation.md b/docs/reservation.md
index de44766..a5dbc0a 100644
--- a/docs/reservation.md
+++ b/docs/reservation.md
@@ -39,15 +39,17 @@ __NOTE:__ This feature is supported for backwards compatibility.
 
 ## Dynamic Reservation (since 0.23.0)
 
-As mentioned in [Static Reservation](#static-reservation-since-0140), specifying the
-reserved resources via the `--resources` flag makes the reservation static.
+As mentioned in [Static Reservation](#static-reservation-since-0140), specifying
+the reserved resources via the `--resources` flag makes the reservation static.
 This is, statically reserved resources cannot be reserved for another role nor
 be unreserved. Dynamic Reservation enables operators and authorized frameworks
 to reserve and unreserve resources post slave-startup.
 
 We require a `principal` from the operator or framework in order to
-authenticate/authorize the operations. [Authorization](authorization.md) is
-specified via the existing ACL mechanism. (_Coming Soon_)
+authenticate/authorize the operations. Permissions are specified via the
+existing ACL mechanism. To use authorization with reserve/unreserve operations,
+the Mesos master must be configured with the desired ACLs. For more information,
+see the [authorization documentation](authorization.md).
 
 * `Offer::Operation::Reserve` and `Offer::Operation::Unreserve` messages are
   available for __frameworks__ to send back via the `acceptOffers` API as a


Mime
View raw message