Hey Yan, We were discussing this issue with James and I think this is not enough to guarantee that an Agent won’t be assigned (neither statically nor dynamically) resources under certain role. The problem here is that nothing will avoid a principal to dynamically reserve resources later.
However your approach does work if you want to treat statically resources as dynamical ones. It does require however that agents register using different credentials (which I don’t think is a bad idea). What I was thinking now is to use only one authorization call, `RegisterAgent` so that it looks at the whole `slave_info` message (That will require modifications in `mesos::ObjectApprover::Object`) and then check the roles from the `slave_info`. Then for each reservation we would need to not only authorize the reservation action, but the roles themselves with the principal used for agent registration and compute a logical and of the two results. There are indeed antecedents for this solution. What I don’t think we can get around is for agents using different principals on registration since we only authorize against principals and agent-id’s are dynamically generated. @jpeach do you have any objections or ideas here? @yan could you discuss this with @jpeach. Finally @yan, you have been working without a shepherd and I really recommend you to get one in order to get this through. I could help here but I may lack some of the context that james has. I guess is up to you. Best, Alexander Rojas alexan...@mesosphere.io > On 12. Dec 2017, at 20:31, Yan Xu <y...@jxu.me> wrote: > > Hi, > > In https://issues.apache.org/jira/browse/MESOS-8306 I am proposing that we > use an ACL to restrict the roles that agents can statically reserve > resources for to address a security concern in which a process on a > compromised host can impersonate an agent and then then reservation > resources for arbitrary roles. > > Resuing `reserve_resources` ACL for this purpose feels intuitive to me and > I don't think it interferes with its use for authorizing dynamic > reservations by the frameworks and operators. > > Are there any concerns about it? > > Also as part of this change I am revising the doc to change the wording on > static reservations so its use is not discouraged: > https://reviews.apache.org/r/64516/diff > > Thanks, > Yan
