You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2017/12/11 21:27:00 UTC
[jira] [Comment Edited] (MESOS-8306) Restrict which agents can
statically reserve resources for which roles
[ https://issues.apache.org/jira/browse/MESOS-8306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16286509#comment-16286509 ]
James Peach edited comment on MESOS-8306 at 12/11/17 9:26 PM:
--------------------------------------------------------------
Can you be more specific about the proposal? I can't match your description up to the ACLs docs.
was (Author: jamespeach):
That generally sounds reasonable to me. I expect you want to mirror this into {{UnreserveResources}} for consistency. Think about how this could be extended, e.g. reserve only {{disk}} or {{cpu}} resources.
> Restrict which agents can statically reserve resources for which roles
> ----------------------------------------------------------------------
>
> Key: MESOS-8306
> URL: https://issues.apache.org/jira/browse/MESOS-8306
> Project: Mesos
> Issue Type: Improvement
> Reporter: Yan Xu
> Assignee: Yan Xu
>
> In some use cases part of a Mesos cluster could be reserved for certain frameworks/roles. A common approach is to use static reservation so the resources of an agent are only offered to frameworks of the designated roles. However without proper authorization any (compromised) agent can register with these special roles and accept workload from these frameworks.
> We can enhance the {{RegisterAgent}} ACL to express: agent principal {{foo}} is allowed to register with static reservation roles {{bar, baz}}; no other principals are allowed to register with static reservation roles {{bar, baz}}.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)