mesos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexander Rojas <alexan...@mesosphere.io>
Subject Re: Reusing `reserve_resources` ACL for static reservation
Date Fri, 15 Dec 2017 13:34:01 GMT
Hey Yan,

We were discussing this issue with James and I think this is not enough
to guarantee that an Agent won’t be assigned (neither statically nor
dynamically) resources under certain role. The problem here is that nothing
will avoid a principal to dynamically reserve resources later.

However your approach does work if you want to treat statically resources
as dynamical ones. It does require however that agents register using 
different credentials (which I don’t think is a bad idea).

What I was thinking now is to use only one authorization call, `RegisterAgent`
so that it looks at the whole `slave_info` message (That will require modifications
in `mesos::ObjectApprover::Object`) and then check the roles from the 
`slave_info`.

Then for each reservation we would need to not only authorize the reservation
action, but the roles themselves with the principal used for agent registration
and compute a logical and of the two results. There are indeed antecedents
for this solution.

What I don’t think we can get around is for agents using different principals
on registration since we only authorize against principals and agent-id’s are
dynamically generated.

@jpeach do you have any objections or ideas here?
@yan could you discuss this with @jpeach.

Finally @yan, you have been working without a shepherd and I really recommend
you to get one in order to get this through. I could help here but I may lack some
of the context that james has. I guess is up to you.

Best,


Alexander Rojas
alexander@mesosphere.io




> On 12. Dec 2017, at 20:31, Yan Xu <yan@jxu.me> wrote:
> 
> Hi,
> 
> In https://issues.apache.org/jira/browse/MESOS-8306 I am proposing that we
> use an ACL to restrict the roles that agents can statically reserve
> resources for to address a security concern in which a process on a
> compromised host can impersonate an agent and then then reservation
> resources for arbitrary roles.
> 
> Resuing `reserve_resources` ACL for this purpose feels intuitive to me and
> I don't think it interferes with its use for authorizing dynamic
> reservations by the frameworks and operators.
> 
> Are there any concerns about it?
> 
> Also as part of this change I am revising the doc to change the wording on
> static reservations so its use is not discouraged:
> https://reviews.apache.org/r/64516/diff
> 
> Thanks,
> Yan


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message