[jira] [Commented] (MESOS-8306) Restrict which agents can statically reserve resources for which roles

["Yan Xu (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/MESOS-8306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16286429#comment-16286429 ] 

Yan Xu commented on MESOS-8306:
-------------------------------

After investigating it I found that it makes more sense of reuse the {{ReserveResources}} ACL for static reservations in the process of authorizing the agent. This ACL clearer in its intention to authorize reservations and its implementation and semantics don't rule out static reservations. We can think of the agent as the subject that requests to the master to reserve resources. i.e., setting {{--resources}} flags on the agent doesn't make it final w.r.t static reservations until the master approves it.

Do you see any problems with this approach [~arojas] [~mcypark] [~jpeach@apache.org]

> Restrict which agents can statically reserve resources for which roles
> ----------------------------------------------------------------------
>
>                 Key: MESOS-8306
>                 URL: https://issues.apache.org/jira/browse/MESOS-8306
>             Project: Mesos
>          Issue Type: Improvement
>            Reporter: Yan Xu
>            Assignee: Yan Xu
>
> In some use cases part of a Mesos cluster could be reserved for certain frameworks/roles. A common approach is to use static reservation so the resources of an agent are only offered to frameworks of the designated roles. However without proper authorization any (compromised) agent can register with these special roles and accept workload from these frameworks.
> We can enhance the {{RegisterAgent}} ACL to express: agent principal {{foo}} is allowed to register with static reservation roles {{bar, baz}}; no other principals are allowed to register with static reservation roles {{bar, baz}}.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)