Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5459

Update RUN_TASK_WITH_USER to use additional metadata

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • None
    • 1.0.0
    • security
    • Mesosphere Sprint 36
    • 5

    Description

      Currently, the `authorization::Action` `RUN_TASK_WITH_USER` will pass the user as its `Object.value` string, but some authorizers may want to make authorization decisions based on additional task attributes, like role, resources, labels, container type, etc.

      We should create a new Action `RUN_TASK` that passes FrameworkInfo and TaskInfo in its Object, and the LocalAuthorizer's RunTaskWithUser ACL can be implemented using the user found in TaskInfo/FrameworkInfo.
      We may need to leave the old _WITH_USER action around, but it's arguable whether we should call the authorizer once for RUN_TASK and once for RUN_TASK_WITH_USER, or only use the new action and deprecate the old one?

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. MESOS-5153 Sandboxes contents should be protected from unauthorized users

          • Major - Major loss of function.
          • Resolved

          Improvement - An improvement or enhancement to an existing feature or task. MESOS-5169 Introduce new Authorizer Actions for Authorized based filtering of endpoints.

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              bbannier Benjamin Bannier
              adam-mesos Adam B
              Adam B Adam B
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: