We already authenticate requests to NM from any AM. We also need to authorize the requests, otherwise a rogue AM, but with proper tokens and thus authenticated to talk to NM, could either launch or kill a container with different ContainerID. We have two options:
- Remove the explicit passing of the ContainerId as part of the API and instead get it from the RPC layer. In this case, we will need a ContainerToken for each container.
- Do explicit authorization checks without relying on getting ContainerID from the RPC.
One ContainerToken per container is a serious restriction. We anyways want to be able to use application-ACLS to, say, stop containers owned by others. So I am going to take the later route of explicit checks.