You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Chun-Hung Hsiao (JIRA)" <ji...@apache.org> on 2019/02/12 05:41:00 UTC

[jira] [Commented] (MESOS-9562) Authorization for DESTROY and UNRESERVE is not symmetrical.

    [ https://issues.apache.org/jira/browse/MESOS-9562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16765693#comment-16765693 ] 

Chun-Hung Hsiao commented on MESOS-9562:
----------------------------------------

For {{UNRESERVE}}, we current support the following two use cases:
1. If all resources the {{UNRESERVE}} operation applies to have reservation principals, there will be one authorization request for each resource.
2. If none of the resources has any principal, there will be one single authorization request to verify if the subject is authorized to perform an {{UNRESERVE}} operation.
Equivalently, if a subject is authorized to do {{UNRESERVE}} on any reservation with a principal, Mesos would implicitly assume that the subject has the right to do {{UNRESERVE}} on a reservation without a principal as well.
We should either document this, or issue a request per resource, with or without a principle.
Since we're deprecating the {{value}} field in favor of the {{resource}} field, it seems to me that we should issue a request for each resource, no matter it is reserved by a principal or not.

For {{DESTROY}}, it seems to me that setting a default empty string is an undocumented behavior, and also having a magic string (which is the empty string) doesn't sound a good idea in an API.

> Authorization for DESTROY and UNRESERVE is not symmetrical.
> -----------------------------------------------------------
>
>                 Key: MESOS-9562
>                 URL: https://issues.apache.org/jira/browse/MESOS-9562
>             Project: Mesos
>          Issue Type: Improvement
>          Components: master, scheduler api
>    Affects Versions: 1.7.1
>            Reporter: Alexander Rukletsov
>            Priority: Major
>              Labels: integration, mesosphere, tech-debt
>
> For [the {{UNRESERVE}} case|https://github.com/apache/mesos/blob/5d3ed364c6d1307d88e6b950ae0eef423c426673/src/master/master.cpp#L3661-L3677], if the principal was not set, {{.has_principal()}} will be {{false}}, hence we will not call {{authorizations.push_back()}}, and hence we will not create an authz request with this resource as an object. For [the {{DESTROY}} case|https://github.com/apache/mesos/blob/5d3ed364c6d1307d88e6b950ae0eef423c426673/src/master/master.cpp#L3772-L3773], if the principal was not set, a default value {{""}} for string will be used and hence we will create an authz request with this resource as an object. 
> We definitely need to make the behaviour consistent. I'm not sure which approach is correct.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)