mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Rukletsov" <ruklet...@gmail.com>
Subject Re: Review Request 39989: [5/5] Added framework authorization for dynamic reservation.
Date Thu, 03 Dec 2015 00:46:19 GMT


> On Dec. 2, 2015, 4:05 p.m., Alexander Rukletsov wrote:
> > src/master/master.cpp, lines 3041-3043
> > <https://reviews.apache.org/r/39989/diff/12/?file=1150229#file1150229line3041>
> >
> >     We validate later on that in `principal` is `None`, reserve is aborted. IIUC,
if `FrameworkInfo` does not specify principal, it cannot reserve resources. So the question
is: do we need to check this first and only then proceed with authz?
> 
> Jie Yu wrote:
>     Alex, from the impl. perspective, we thought about that in the earlier iteration,
and found that it's quite difficult to do it cleanly given the current structure of the code.
We want validation to be done at the same place (`Master::_accept`).
>     
>     ALso, we had some discussion on whether 'principal' in ReservationInfo needs to be
required or not (MESOS-3064). In the future, we might want to make it 'optional' so that a
framework without principal can also reserve resources (it's reserved resources can be unreserved
by anyone).
>     
>     So I would suggest we keep the current structure and add a comment here saying that:
currently, if framework's principal is not specified, the operation validation will fail in
`_accept` even thought authorization might succeed.
> 
> Greg Mann wrote:
>     I added a comment along the lines of Jie's suggestion.

Thanks a lot for the explanation and pointing me to the discussions in the ticket. It is very
valuable for me as we design authz for quota now.


- Alexander


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/39989/#review108654
-----------------------------------------------------------


On Dec. 2, 2015, 7:55 p.m., Greg Mann wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/39989/
> -----------------------------------------------------------
> 
> (Updated Dec. 2, 2015, 7:55 p.m.)
> 
> 
> Review request for mesos, Adam B, Jie Yu, Michael Park, and Till Toenshoff.
> 
> 
> Bugs: MESOS-3062
>     https://issues.apache.org/jira/browse/MESOS-3062
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Added framework authorization for dynamic reservation.
> Note: this review is continued from https://reviews.apache.org/r/37127/
> 
> 
> Diffs
> -----
> 
>   src/master/master.cpp b918ae4a0e7dc3cd41165fc4b683ae7b6f031821 
>   src/tests/reservation_tests.cpp 15d180f92ec0aea99e6f3a7d0b505c62bd207b61 
> 
> Diff: https://reviews.apache.org/r/39989/diff/
> 
> 
> Testing
> -------
> 
> This is the fifth in a chain of 5 patches. New reservation tests were added to `reservation_tests.cpp`
to validate the authentication of framework reserve and unreserve operations using ACLs. `make
check` was run to test after all patches were applied.
> 
> 
> Thanks,
> 
> Greg Mann
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message