You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Greg Mann (JIRA)" <ji...@apache.org> on 2017/04/18 15:04:41 UTC

[jira] [Created] (MESOS-7399) Move implicit authorization into the authorizer

Greg Mann created MESOS-7399:
--------------------------------

             Summary: Move implicit authorization into the authorizer
                 Key: MESOS-7399
                 URL: https://issues.apache.org/jira/browse/MESOS-7399
             Project: Mesos
          Issue Type: Improvement
          Components: executor, scheduler api
            Reporter: Greg Mann


The HTTP scheduler and executor APIs contain implicit authorization rules. Roughly stated, the rule is that schedulers and executors can only perform actions for/on schedulers/executors with the same principal. For example, schedulers can only launch tasks on schedulers with the same principal, and executors can only launch nested containers within an executor using the same principal.

These implicit authorization rules should be moved into the authorizer to maintain separation of authorization logic consistent with the rest of the Mesos codebase.

Note that these rules will be unnecessary in the V0 scheduler/executor APIs due to their implementation. Since V0 schedulers and executors authenticate once when their persistent TCP connection is established, the implicit authorization of subsequent actions performed on that connection is inherent to the implementation.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)