You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Adam B (JIRA)" <ji...@apache.org> on 2016/02/25 20:08:18 UTC

[jira] [Commented] (MESOS-4772) TaskInfo/ExecutorInfo should include owner information

    [ https://issues.apache.org/jira/browse/MESOS-4772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15167664#comment-15167664 ] 

Adam B commented on MESOS-4772:
-------------------------------

Alternatively, we could use something like Marathon's application groups to namespace tasks into groups that can be authorized together.

> TaskInfo/ExecutorInfo should include owner information
> ------------------------------------------------------
>
>                 Key: MESOS-4772
>                 URL: https://issues.apache.org/jira/browse/MESOS-4772
>             Project: Mesos
>          Issue Type: Improvement
>          Components: security
>            Reporter: Adam B
>            Assignee: Jan Schlicht
>              Labels: authorization, mesosphere, ownership, security
>
> We need a way to assign fine-grained ownership to tasks/executors so that multi-user frameworks can tell Mesos to associate the task with a user identity (rather than just the framework principal+role). Then, when an HTTP user requests to view the task's sandbox contents, or kill the task, or list all tasks, the authorizer can determine whether to allow/deny/filter the request based on finer-grained, user-level ownership.
> Some systems may want TaskInfo.owner to represent a group rather than an individual user. That's fine as long as the framework sets the field to the group ID in such a way that a group-aware authorizer can interpret it.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)