mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vinod Kone (JIRA)" <>
Subject [jira] [Updated] (MESOS-5459) Update RUN_TASK_WITH_USER to use additional metadata
Date Tue, 31 May 2016 05:10:12 GMT


Vinod Kone updated MESOS-5459:
    Priority: Blocker  (was: Major)

Marking this as a blocker because this is an API change? [~adam-mesos] please downgrade if
it's not.

> Update RUN_TASK_WITH_USER to use additional metadata
> ----------------------------------------------------
>                 Key: MESOS-5459
>                 URL:
>             Project: Mesos
>          Issue Type: Improvement
>          Components: security
>            Reporter: Adam B
>            Assignee: Benjamin Bannier
>            Priority: Blocker
>              Labels: mesosphere, security
>             Fix For: 1.0.0
> Currently, the `authorization::Action` `RUN_TASK_WITH_USER` will pass the user as its
`Object.value` string, but some authorizers may want to make authorization decisions based
on additional task attributes, like role, resources, labels, container type, etc.
> We should create a new Action `RUN_TASK` that passes FrameworkInfo and TaskInfo in its
Object, and the LocalAuthorizer's RunTaskWithUser ACL can be implemented using the user found
in TaskInfo/FrameworkInfo.
> We may need to leave the old _WITH_USER action around, but it's arguable whether we should
call the authorizer once for RUN_TASK and once for RUN_TASK_WITH_USER, or only use the new
action and deprecate the old one?

This message was sent by Atlassian JIRA

View raw message