Hi, my name is David. I'd like to do sth for this open source project.
I am an experienced software engineer working on network security in Bay Area.
Here are my draft about general use cases, the main idea is to add into Mesos a
cyrus-sasl client which will send the authentication info to security server to get verification.
Your comments or updates are welcome.
General use cases/test cases
1, Mesos users(framework application) or slaves register(i.e. name and password) to security server. This may be integrated into central secruity management which is outside of Mesos. In the unit tests, we may use open source SASL server, such as cyrus-sasl2 in Ubuntu.
2, When Mesos Master gets framework application or slave register(resource allocation)request, based on security setting of Mesos, there are following cases
1) Anonymous allowed and no authentication info in the request. This is compatible with current implementation.
2) Authentication support. Extract authentication info from the request, and send to configured security
server by Cyrus SASL interface. If get successful authentication, then continue to do framework or slave register ,else reject the register request.
Note: Considering the performance impact introduced by the delay of this authentication request and response communication,
one option is to present a local authenticated user table in Master node. It works as a cache. For each authentication, the local table will be looked up firstly, if not found, then communicate with security server. After get successful authentication, the user authid and a timestamp is inserted into the local table. Then within a configured period(i.e. 24 hours), the following register request from this user will get permit from local table.
For the Master failure recovery, the local table will be re-buit on the received re-register requests.