-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 1.0.0
-
Fix Version/s: None
-
Component/s: security
-
Labels:
-
Epic Link:
-
Sprint:Mesosphere Sprint 38
The local authorizer currently tries to authorize ACCESS_SANDBOX even if no further object specification - e.g. framework_info or executor_info) where specified / available at that time.
Given that there is likely no sandbox available if there was no executor_info provided, I think we should actually fail instead of allow or deny (403).
A failure would result into an IMHO more appropriate ServiceUnavailable (503).