mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Mann (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MESOS-3062) Add authorization for dynamic reservation
Date Tue, 10 Nov 2015 20:27:10 GMT

    [ https://issues.apache.org/jira/browse/MESOS-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14999288#comment-14999288
] 

Greg Mann commented on MESOS-3062:
----------------------------------

These patches don't affect which offers are made to which frameworks, nor which frameworks
can accept which offers; a framework should still be able to utilize all the resources offered
to it. Reserved resources will be offered to, and can be used by, any framework registered
with the appropriate role, regardless of which principal did the reserving.

This work provides authorization for the {{Reserve}} and {{Unreserve}} offer operations. So
while a framework can still accept all the offers it receives, these patches do mean that
a framework could receive offers containing resources which it doesn't have permission to
reserve. A framework could also receive offers containing dynamically-reserved resources which
it doesn't have the permission to unreserve.

> Add authorization for dynamic reservation
> -----------------------------------------
>
>                 Key: MESOS-3062
>                 URL: https://issues.apache.org/jira/browse/MESOS-3062
>             Project: Mesos
>          Issue Type: Task
>          Components: master
>            Reporter: Michael Park
>            Assignee: Greg Mann
>              Labels: mesosphere, persistent-volumes
>
> Dynamic reservations should be authorized with the {{principal}} of the reserving entity
(framework or master). The idea is to introduce {{Reserve}} and {{Unreserve}} into the ACL.
> {code}
>   message Reserve {
>     // Subjects.
>     required Entity principals = 1;
>     // Objects.  MVP: Only possible values = ANY, NONE
>     required Entity resources = 1;
>   }
>   message Unreserve {
>     // Subjects.
>     required Entity principals = 1;
>     // Objects.
>     required Entity reserver_principals = 2;
>   }
> {code}
> When a framework/operator reserves resources, "reserve" ACLs are checked to see if the
framework ({{FrameworkInfo.principal}}) or the operator ({{Credential.user}}) is authorized
to reserve the specified resources. If not authorized, the reserve operation is rejected.
> When a framework/operator unreserves resources, "unreserve" ACLs are checked to see if
the framework ({{FrameworkInfo.principal}}) or the operator ({{Credential.user}}) is authorized
to unreserve the resources reserved by a framework or operator ({{Resource.ReservationInfo.principal}}).
If not authorized, the unreserve operation is rejected.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message