You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mesos.apache.org by James Peach <jo...@gmail.com> on 2017/11/01 21:28:26 UTC

clearing the executor authentication token from the task environment

Hi all,

In https://issues.apache.org/jira/browse/MESOS-8140, I'm proposing that we clear the MESOS_EXECUTOR_AUTHENTICATION_TOKEN environment variable immediately after consuming it in the built-in executors. This protects it from observation by other tasks in the same PID namespace, however I wanted to verify that no-one currently has a use case that depends on this. Currently, the token is inherited to the environment of tasks running under the command executor (i.e. not to task group tasks).

Eventually we would add a formal API for tasks to access the executor token in MESOS-8018.

thanks,
James

Re: clearing the executor authentication token from the task environment

Posted by James Peach <jo...@gmail.com>.

> On Nov 1, 2017, at 2:28 PM, James Peach <Jo...@gmail.com> wrote:
> 
> Hi all,
> 
> In https://issues.apache.org/jira/browse/MESOS-8140, I'm proposing that we clear the MESOS_EXECUTOR_AUTHENTICATION_TOKEN environment variable immediately after consuming it in the built-in executors. This protects it from observation by other tasks in the same PID namespace, however I wanted to verify that no-one currently has a use case that depends on this. Currently, the token is inherited to the environment of tasks running under the command executor (i.e. not to task group tasks).
> 
> Eventually we would add a formal API for tasks to access the executor token in MESOS-8018.

Ok, we will be landing this change for Mesos 1.5

thanks,
James

Re: clearing the executor authentication token from the task environment

Posted by James Peach <jo...@gmail.com>.

> On Nov 1, 2017, at 2:28 PM, James Peach <Jo...@gmail.com> wrote:
> 
> Hi all,
> 
> In https://issues.apache.org/jira/browse/MESOS-8140, I'm proposing that we clear the MESOS_EXECUTOR_AUTHENTICATION_TOKEN environment variable immediately after consuming it in the built-in executors. This protects it from observation by other tasks in the same PID namespace, however I wanted to verify that no-one currently has a use case that depends on this. Currently, the token is inherited to the environment of tasks running under the command executor (i.e. not to task group tasks).
> 
> Eventually we would add a formal API for tasks to access the executor token in MESOS-8018.

Ok, we will be landing this change for Mesos 1.5

thanks,
James