Hi all, as you probably know, asynchronous authorization step in Mesos master and agent code causes a number of performance/design issues and outright bugs (see https://issues.apache.org/jira/browse/MESOS-10056). To deal with those issues, myself and a few of my colleagues are considering a design which will reuse the existing ObjectApprover interface for synchronous authorization.
The main drawback of this design is that existing custom Authorizer implementations will need to be adapted. Currently, Mesos code uses the returned Approver for authorizing a single API call/event, and disposes of the approver immediately after that. Note that Authorizer interface documentation does not require Mesos to behave this way; it states nothing about the lifetime/expiration of the returned ObjectApprover inside of Mesos. The reference implementation (LocalAuthorizer) does not rely on this behaviour, but custom implementations might be implicitly expecting it (some of them indeed are). Using ObjectApprover interface for synchronous authorization will change the ObjectApprover life cycle in Mesos. Mesos master, and probably also agent, will be storing ObjectApprovers for long-lived principals for at least as long as the principal is subscribed. Thus, custom Authorizers will be required to implement a method that returns an ObjectApprover which never expires, with its state refreshed by the Authorizer when needed, in a thread-safe way. We intend to put part of the code needed for approver refresh alongside Mesos, both to facilitate adding Mesos tests with non-idempotent approvers and to simplify adapting custom authorizers. A more detailed design proposal will follow, but before that we would like to figure out: how many custom Authorizer implementations there actually are and how hard will it be for their maintainers to adapt them for this breaking change? If you own (or are aware of) an existing actively used custom Authorizer implementation, please let us know. Thanks, Andrei Sekretenko Software Engineer at D2iQ (previously known as Mesosphere)
