[MESOS-3065] Add framework authorization for persistent volume - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
- mesosphere
- persistent-volumes

Target Version/s:

0.27.0
Epic Link:
Persistence
Sprint:
Mesosphere Sprint 16, Mesosphere Sprint 22, Mesosphere Sprint 24
Story Points:
5

Description

This is the third in a series of tickets that adds authorization support to persistent volumes.

When a framework creates a persistent volume, "create" ACLs are checked to see if the framework (FrameworkInfo.principal) or the operator (Credential.user) is authorized to create persistent volumes. If not authorized, the create operation is rejected.

When a framework destroys a persistent volume, "destroy" ACLs are checked to see if the framework (FrameworkInfo.principal) or the operator (Credential.user) is authorized to destroy the persistent volume created by a framework or operator (Resource.DiskInfo.principal). If not authorized, the destroy operation is rejected.

A separate ticket will use the structures created here to enable authorization of the "/create" and "/destroy" HTTP endpoints: https://issues.apache.org/jira/browse/MESOS-3903

Attachments

Issue Links

blocks

MESOS-3903 Add authorization for '/create-volume' and '/destroy-volume' HTTP endpoints

Resolved

depends upon

MESOS-4179 Extend `Master` to authorize persistent volumes

Resolved

MESOS-3064 Add 'principal' field to 'Resource.DiskInfo.Persistence'

Resolved

is blocked by

MESOS-2455 Add operator endpoints to create/destroy persistent volumes.

Resolved

supercedes

MESOS-2998 Disable Persistent Volumes, Dynamic Reservations via master flags

Resolved

Activity

People

Assignee:: Greg Mann

Reporter:: Michael Park

Shepherd:: Jie Yu

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 16/Jul/15 16:52

Updated:: 26/Nov/18 12:20

Resolved:: 26/Nov/18 12:20