You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Alexander Rukletsov (JIRA)" <ji...@apache.org> on 2016/05/19 07:44:12 UTC
[jira] [Comment Edited] (MESOS-5155) Consolidate authorization
actions for quota.
[ https://issues.apache.org/jira/browse/MESOS-5155?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15289240#comment-15289240 ]
Alexander Rukletsov edited comment on MESOS-5155 at 5/19/16 7:43 AM:
---------------------------------------------------------------------
{noformat}
Commit: a28917f188183a4be1c974fc61ef20797cf255af [a28917f]
Author: Zhitao Li <zh...@gmail.com>
Date: 18 May 2016 16:17:11 CEST
Committer: Alexander Rukletsov <al...@apache.org>
Commit Date: 18 May 2016 18:21:40 CEST
Used UPDATE_QUOTA_WITH_ROLE for both quota set and remove.
To consolidate authorization actions for quota, we introduce a new
authorization action `UPDATE_QUOTA_WITH_ROLE` and corresponding
ACL. They new action and ACL should be used instead of now deprecated
`SET_QUOTA_WITH_ROLE` and `DESTROY_QUOTA_WITH_PRINCIPAL`. Until the
end of the deprecation cycle, we will be using both combinations by
querying the authorizer twice.
Review: https://reviews.apache.org/r/47399/
{noformat}
{noformat}
Commit: 71e5099c55bb5fd064ef5efe59ed780ad1e93060 [71e5099]
Author: Zhitao Li zhitaoli.cs@gmail.com
Date: 19 May 2016 09:04:20 CEST
Committer: Alexander Rukletsov alexr@apache.org
Commit Date: 19 May 2016 09:39:37 CEST
Documented quota authorization changes.
Review: https://reviews.apache.org/r/47400/
{noformat}
was (Author: alexr):
{noformat}
Commit: a28917f188183a4be1c974fc61ef20797cf255af [a28917f]
Author: Zhitao Li <zh...@gmail.com>
Date: 18 May 2016 16:17:11 CEST
Committer: Alexander Rukletsov <al...@apache.org>
Commit Date: 18 May 2016 18:21:40 CEST
Used UPDATE_QUOTA_WITH_ROLE for both quota set and remove.
To consolidate authorization actions for quota, we introduce a new
authorization action `UPDATE_QUOTA_WITH_ROLE` and corresponding
ACL. They new action and ACL should be used instead of now deprecated
`SET_QUOTA_WITH_ROLE` and `DESTROY_QUOTA_WITH_PRINCIPAL`. Until the
end of the deprecation cycle, we will be using both combinations by
querying the authorizer twice.
Review: https://reviews.apache.org/r/47399/
{noformat}
> Consolidate authorization actions for quota.
> --------------------------------------------
>
> Key: MESOS-5155
> URL: https://issues.apache.org/jira/browse/MESOS-5155
> Project: Mesos
> Issue Type: Improvement
> Reporter: Alexander Rukletsov
> Assignee: Zhitao Li
> Labels: mesosphere
>
> We should have just a single authz action: {{UPDATE_QUOTA_WITH_ROLE}}. It was a mistake in retrospect to introduce multiple actions.
> Actions that are not symmetrical are register/teardown and dynamic reservations. The way they are implemented in this way is because entities that do one action differ from entities that do the other. For example, register framework is issued by a framework, teardown by an operator. What is a good way to identify a framework? A role it runs in, which may be different each launch and makes no sense in multi-role frameworks setup or better a sort of a group id, which is its principal. For dynamic reservations and persistent volumes, they can be both issued by frameworks and operators, hence similar reasoning applies.
> Now, quota is associated with a role and set only by operators. Do we need to care about principals that set it? Not that much.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)