You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mesos.apache.org by "David WEI (JIRA)" <ji...@apache.org> on 2013/10/27 23:42:30 UTC
[jira] [Commented] (MESOS-418) Add security and authentication
support to Mesos (including integration with LDAP).
[ https://issues.apache.org/jira/browse/MESOS-418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13806477#comment-13806477 ]
David WEI commented on MESOS-418:
---------------------------------
Hi, my name is David. I'd like to do sth for this open source project.
I am an experienced software engineer working on network security in Bay Area.
Here are my draft about general use cases, the main idea is to add into Mesos a
cyrus-sasl client which will send the authentication info to security server to get verification.
Your comments or updates are welcome.
General use cases/test cases
1, Mesos users(framework application) or slaves register(i.e. name and password) to security server. This may be integrated into central secruity management which is outside of Mesos. In the unit tests, we may use open source SASL server, such as cyrus-sasl2 in Ubuntu.
2, When Mesos Master gets framework application or slave register(resource allocation)request, based on security setting of Mesos, there are following cases
1) Anonymous allowed and no authentication info in the request. This is compatible with current implementation.
2) Authentication support. Extract authentication info from the request, and send to configured security
server by Cyrus SASL interface. If get successful authentication, then continue to do framework or slave register ,else reject the register request.
Note: Considering the performance impact introduced by the delay of this authentication request and response communication,
one option is to present a local authenticated user table in Master node. It works as a cache. For each authentication, the local table will be looked up firstly, if not found, then communicate with security server. After get successful authentication, the user authid and a timestamp is inserted into the local table. Then within a configured period(i.e. 24 hours), the following register request from this user will get permit from local table.
For the Master failure recovery, the local table will be re-buit on the received re-register requests.
> Add security and authentication support to Mesos (including integration with LDAP).
> -----------------------------------------------------------------------------------
>
> Key: MESOS-418
> URL: https://issues.apache.org/jira/browse/MESOS-418
> Project: Mesos
> Issue Type: Story
> Reporter: Vinod Kone
> Assignee: Ilim Ugur
> Labels: c++, cloud, gsoc, gsoc2013, mentor
>
> The basic idea behind the proposal, is to add authorization/authentication support to Mesos. For example, Mesos should only allow authenticated frameworks to register and submit jobs. The plan is to leverage Kerberos/LDAP to add this support. We are also open to suggestions on how we can add support for security and auth in Mesos.
> Knowledge Prerequisite: C++
--
This message was sent by Atlassian JIRA
(v6.1#6144)