The HTTP scheduler and executor APIs contain implicit authorization rules. Roughly stated, the rule is that schedulers and executors can only perform actions for/on schedulers/executors with the same principal. For example, schedulers can only launch tasks on schedulers with the same principal, and executors can only launch nested containers within an executor using the same principal.
These implicit authorization rules should be moved into the authorizer to maintain separation of authorization logic consistent with the rest of the Mesos codebase.
Note that these rules will be unnecessary in the V0 scheduler/executor APIs due to their implementation. Since V0 schedulers and executors authenticate once when their persistent TCP connection is established, the implicit authorization of subsequent actions performed on that connection is inherent to the implementation.