You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Andrei Sekretenko (Jira)" <ji...@apache.org> on 2020/03/03 14:23:00 UTC
[jira] [Commented] (MESOS-10056) Perform synchronous authorization
for scheduler calls.
[ https://issues.apache.org/jira/browse/MESOS-10056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17050246#comment-17050246 ]
Andrei Sekretenko commented on MESOS-10056:
-------------------------------------------
{noformat}
Author: Andrei Sekretenko <as...@apache.org>
Date: Fri Feb 21 11:40:59 2020 +0100
Added test for removal of ObjectApprovers of disconnected framework.
As per MESOS-10056, authorizer is now responsible for keeping
`ObjectApprover`s valid throughout their lifetime, which might be quite
expensive for custom authorizer implementations that get permissions
from an external IAM.
This test makes sure that ObjectApprovers of a disconnected framework
are removed.
Review: https://reviews.apache.org/r/72170
commit 6a29061fb2f357d591f27d7541f92e0f73f0e944
Author: Andrei Sekretenko <as...@mesosphere.com>
Date: Thu Jan 30 15:42:07 2020 +0100
Removed code for tracking pending tasks.
Now that ACCEPT is authorized synchronously, there are no pending
tasks in-between dispatches on `Master` methods, thus the pending task
tracking code is not needed anymore.
Review: https://reviews.apache.org/r/72099
commit 495db0e983222a5038a26b93e0ca689f2ce009a0
Author: Andrei Sekretenko <as...@mesosphere.com>
Date: Wed Jan 29 15:24:32 2020 +0100
Converted ACCEPT to synchronous authorization.
This patch converts ACCEPT call to synchronous authorization
(see MESOS-10056), thus fixing race between ACCEPT and REVIVE
(MESOS-10023) and removing potential for other similar races.
It also moves authorization of scheduler API operations after their
validation (thus fixing MESOS-10083) and effectively gets rid of the
concept of a "task pending authorization".
Tests are converted from mocking `Authorizer::authorized(...)`
to mocking `Authorizer::provideObjectApprover(...)` as necessary.
Review: https://reviews.apache.org/r/72098
commit f94f1e09530fb4c83247d341b31ea17c95b96d6e
Author: Andrei Sekretenko <as...@apache.org>
Date: Thu Feb 27 18:23:59 2020 +0100
Made `overload()` work with callables passed by reference.
Review: https://reviews.apache.org/r/72169
commit 889aa4c1f75af4294173a99a7c1df97534a83ded
Author: Andrei Sekretenko <as...@mesosphere.com>
Date: Tue Jan 21 21:58:23 2020 +0100
Converted UPDATE_FRAMEWORK to synchronous authorization.
Review: https://reviews.apache.org/r/72097
commit b920f60bcee913319fb78427f28f6f5789729478
Author: Andrei Sekretenko <as...@mesosphere.com>
Date: Tue Jan 21 21:58:23 2020 +0100
Store per-framework ObjectApprovers.
This is a prerequisite to synchronous authorization of scheduler API
calls (see MESOS-10056).
Review: https://reviews.apache.org/r/72096
commit 8a82df8604c552268ca22e2577dc0e03a1731bcf
Author: Andrei Sekretenko <as...@mesosphere.com>
Date: Mon Jan 20 17:00:36 2020 +0100
Added to `ObjectApprovers` a method to approve arbitrary action.
This is needed to use `ObjectApprovers` for authorizing scheduler API
calls.
Review: https://reviews.apache.org/r/72093
commit c6cede0800f11c208078dcf3eaa756997166ac7b
Author: Andrei Sekretenko <as...@mesosphere.com>
Date: Mon Jan 20 16:05:48 2020 +0100
Introduced `getApprover(...)` authorizer interface.
This patch introduces a breaking change in the Authorizer interface:
`getObjectApprover(...)` method that returnes ObjectApprover
which should not be stored for a long time is replaced with
`getApprover(...)` method that returns ObjectApprover
that must be kept valid (by authorizer implementation) throughout its
whole lifetime.
This unblocks way to synchronous (without dispatch to another actor)
authorization in cases where principal is known to be long-lived;
examples are the scheduler API (see MESOS-10056) and v1 operator API
events (see MESOS-10057).
The local authorizer is modified accordingly.
NOTE: This patch breaks compatibility with custom authorizers which
do not implement this method!
Review: https://reviews.apache.org/r/72089
commit aefa4bdb8a111c74f1d0f7e851a486f4e2ec47e7
Author: Andrei Sekretenko <as...@mesosphere.com>
Date: Tue Jan 21 19:55:24 2020 +0100
Introduced dedicated `Framework` methods for transitions between states.
The main purpose of this patch is gathering scattered logic of
transitioning `Framework` to disconnected state into
`Framework::disconnect()` method. This is a prerequisite for adding
to the `Framework` state one more entity that needs cleanup when the
framework is disconnected (namely, adding per-framework
`ObjectApprovers` in depending patches).
Additionally, this patch decouples connection state from eligibility
to receive offers: `ACTIVE` and `INACTIVE` states are merged into
`CONNECTED`, and a new boolean attribute `active` is introduced.
Now that `updateConnection(...)` does not change `active` on its own,
methods `activate()` and `deactivate()` are introduced.
Note that the current behaviour of activating reconnected framework
regardless of whether it was active before disconnecting is not changed.
Also, for consistency between `CONNECTED`->`DISCONNECTED` transition
and other state transitions, public `setFrameworkState(...)` method
is removed.
Review: https://reviews.apache.org/r/72095
{noformat}
{noformat}
commit cb8106fb7fc9282232a98b27bd1aca43c52a7f69
Author: Andrei Sekretenko <as...@mesosphere.com>
Date: Mon Jan 20 19:39:19 2020 +0100
Made `http`, `pid` and `heartbeater` of `Framework` private.
This is a prerequisite to localizing mutations of connection-related
state of `Framework` to a limited set of `Framework` methods
in the next patch.
Review: https://reviews.apache.org/r/72094
{noformat}
> Perform synchronous authorization for scheduler calls.
> ------------------------------------------------------
>
> Key: MESOS-10056
> URL: https://issues.apache.org/jira/browse/MESOS-10056
> Project: Mesos
> Issue Type: Improvement
> Components: master
> Reporter: Benjamin Mahler
> Assignee: Andrei Sekretenko
> Priority: Major
>
> After chatting with [~asekretenko] about how best to resolve MESOS-10023, as an alternative to making all scheduler calls get sequenced through an asynchronous authorization step, I brought up the old idea of making authorization synchronous.
> This came up (although I can't find a ticket for it) in the past because the master event stream outgoing message authorization becomes very expensive for a large number of subscribers (cc [~greggomann]). Back then, I suggested that we always hold on to valid object approvers so that we could synchronously (and cheaply) authorize the outgoing events. These object approvers would be kept up to date in the background, and if authorization fails to keep them up to date, we would treat that the same as an authorization failure is currently treated.
> We can apply the same idea (although we haven't applied it to the master's event stream yet) to scheduler API calls, which should help resolve MESOS-10023 since we're no longer mixing asynchronously authorized calls with calls that don't go through authorization.
> This will also yield a performance improvement, scheduler calls no longer get delayed by asynchronous authorization, and an extra trip through the master queue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)