mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Mann (JIRA)" <>
Subject [jira] [Created] (MESOS-7399) Move implicit authorization into the authorizer
Date Tue, 18 Apr 2017 15:04:41 GMT
Greg Mann created MESOS-7399:

             Summary: Move implicit authorization into the authorizer
                 Key: MESOS-7399
             Project: Mesos
          Issue Type: Improvement
          Components: executor, scheduler api
            Reporter: Greg Mann

The HTTP scheduler and executor APIs contain implicit authorization rules. Roughly stated,
the rule is that schedulers and executors can only perform actions for/on schedulers/executors
with the same principal. For example, schedulers can only launch tasks on schedulers with
the same principal, and executors can only launch nested containers within an executor using
the same principal.

These implicit authorization rules should be moved into the authorizer to maintain separation
of authorization logic consistent with the rest of the Mesos codebase.

Note that these rules will be unnecessary in the V0 scheduler/executor APIs due to their implementation.
Since V0 schedulers and executors authenticate once when their persistent TCP connection is
established, the implicit authorization of subsequent actions performed on that connection
is inherent to the implementation.

This message was sent by Atlassian JIRA

View raw message