mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joerg Schad (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (MESOS-5615) When using command executor, the ExecutorInfo is useless for sandbox authorization
Date Thu, 16 Jun 2016 12:59:05 GMT

    [ https://issues.apache.org/jira/browse/MESOS-5615?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15332751#comment-15332751
] 

Joerg Schad edited comment on MESOS-5615 at 6/16/16 12:58 PM:
--------------------------------------------------------------

Refactored sandbox authorization logic to use ObjectAuthorizer.
https://reviews.apache.org/r/48764/

Added 'labels' and 'discovery' to generated 'ExecutorInfo'.
https://reviews.apache.org/r/48765/

 Added tests for sandbox authorization.
 Review: https://reviews.apache.org/r/48789

 Added note about generation of `ExecutorInfo` for `CommandInfo`.
 Review: https://reviews.apache.org/r/48790


was (Author: js84):
Refactored sandbox authorization logic to use ObjectAuthorizer.
https://reviews.apache.org/r/48764/

Added 'labels' and 'discovery' to generated 'ExecutorInfo'.
https://reviews.apache.org/r/48765/

> When using command executor, the ExecutorInfo is useless for sandbox authorization
> ----------------------------------------------------------------------------------
>
>                 Key: MESOS-5615
>                 URL: https://issues.apache.org/jira/browse/MESOS-5615
>             Project: Mesos
>          Issue Type: Bug
>          Components: modules, security, slave
>    Affects Versions: 1.0.0
>            Reporter: Alexander Rojas
>            Assignee: Joerg Schad
>            Priority: Blocker
>              Labels: authorization, mesosphere, modularization, security
>             Fix For: 1.0.0
>
>
> The design for sandbox access authorization uses the {{ExecutorInfo}} associated with
the task as the main authorization space and the {{FrameworkInfo}} as a secondary one. This
allows module writes to use fields such a labels for authorization.
> When a task uses the _command executor_ it doesn't provide an {{ExecutorInfo}}, but the
info object is generated automatically inside the agent. As such, information which could
be used for authorization (e.g. labels) is not available for authorization.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message