You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by vi...@apache.org on 2017/04/21 21:24:55 UTC

[2/2] mesos git commit: Added documentation for executor authorization.

Added documentation for executor authorization.

This patch adds documentation regarding the implicit authorization
of HTTP executors.

Review: https://reviews.apache.org/r/58625/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/02d8426a
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/02d8426a
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/02d8426a

Branch: refs/heads/master
Commit: 02d8426a3b1dc6b3269a014ada541a6008a6ab05
Parents: 3cd927c
Author: Greg Mann <gr...@mesosphere.io>
Authored: Fri Apr 21 14:24:35 2017 -0700
Committer: Vinod Kone <vi...@gmail.com>
Committed: Fri Apr 21 14:24:35 2017 -0700

----------------------------------------------------------------------
 docs/authorization.md | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/02d8426a/docs/authorization.md
----------------------------------------------------------------------
diff --git a/docs/authorization.md b/docs/authorization.md
index 913765f..42337e7 100644
--- a/docs/authorization.md
+++ b/docs/authorization.md
@@ -25,6 +25,26 @@ briefly discusses how to implement a custom authorizer; this section is not
 directed at operators but at engineers who wish to build their own authorizer
 back end.
 
+## HTTP Executor Authorization
+
+When the agent's `--authenticate_http_executors` flag is set, HTTP executors are
+required to authenticate with the HTTP executor API. When they do so, a simple
+implicit authorization rule is applied. In plain language, the rule states that
+executors can only perform actions on themselves. More specifically, an
+executor's authenticated principal must contain claims with keys `fid`, `eid`,
+and `cid`, with values equal to the currently-running executor's framework ID,
+executor ID, and container ID, respectively. By default, an authentication token
+containing these claims is injected into the executor's environment (see the
+[authentication documentation](authentication.md) for more information).
+
+Similarly, when the agent's `--authenticate_http_readwrite` flag is set, HTTP
+executor's are required to authenticate with the HTTP operator API when making
+calls such as `LAUNCH_NESTED_CONTAINER`. In this case, executor authorization is
+performed via the loaded authorizer module, if present. The default Mesos local
+authorizer applies a simple implicit authorization rule, requiring that the
+executor's principal contain a claim with key `cid` and a value equal to the
+currently-running executor's container ID.
+
 ## Local Authorizer
 
 ### Role vs. Principal