You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Andrei Sekretenko (Jira)" <ji...@apache.org> on 2019/12/27 12:01:00 UTC

[jira] [Created] (MESOS-10083) Authorizing invalid operation can result in declined authorization.

Andrei Sekretenko created MESOS-10083:
-----------------------------------------

             Summary: Authorizing invalid operation can result in declined authorization.
                 Key: MESOS-10083
                 URL: https://issues.apache.org/jira/browse/MESOS-10083
             Project: Mesos
          Issue Type: Bug
            Reporter: Andrei Sekretenko


Currently, when performing ACCEPT call, operations are validated after authorization to avoid races between validating against Master state and other events modifying Master state while operation is being authorized by Authorizer.

This causes a need for the authorization code to compose valid authorization Objects for invalid operations. If the authorization setup is strict enough, this will result in the framework receiving "Not authorized" message for an invalid operation, instead of  validation error.

There are two options to prevent sending authorization errors for invalid operations (and also get rid of handling invalid operations in Object composing code):
 - to split validation into two parts (first one stateless, second one depending on the master state), and run the first part before authorizing
 - get rid of asynchronous authorization step in ACCEPT (as suggested in MESOS-10056), and perform all validation before authorization.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)