Details
-
Improvement
-
Status: Resolved
-
Blocker
-
Resolution: Fixed
-
None
-
Mesosphere Sprint 36
-
5
Description
Currently, the `authorization::Action` `RUN_TASK_WITH_USER` will pass the user as its `Object.value` string, but some authorizers may want to make authorization decisions based on additional task attributes, like role, resources, labels, container type, etc.
We should create a new Action `RUN_TASK` that passes FrameworkInfo and TaskInfo in its Object, and the LocalAuthorizer's RunTaskWithUser ACL can be implemented using the user found in TaskInfo/FrameworkInfo.
We may need to leave the old _WITH_USER action around, but it's arguable whether we should call the authorizer once for RUN_TASK and once for RUN_TASK_WITH_USER, or only use the new action and deprecate the old one?
Attachments
Issue Links
- is related to
-
MESOS-5153 Sandboxes contents should be protected from unauthorized users
- Resolved
-
MESOS-5169 Introduce new Authorizer Actions for Authorized based filtering of endpoints.
- Resolved