[ https://issues.apache.org/jira/browse/MESOS-3065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marco Massenzio updated MESOS-3065: ----------------------------------- Sprint: Mesosphere Sprint 16, Mesosphere Sprint 22 (was: Mesosphere Sprint 16, Mesosphere Sprint 22, Mesosphere Sprint 23) > Add framework authorization for persistent volume > ------------------------------------------------- > > Key: MESOS-3065 > URL: https://issues.apache.org/jira/browse/MESOS-3065 > Project: Mesos > Issue Type: Task > Reporter: Michael Park > Assignee: Greg Mann > Labels: mesosphere, persistent-volumes > > Persistent volume should be authorized with the {{principal}} of the > reserving entity (framework or master). The idea is to introduce {{Create}} > and {{Destroy}} into the ACL. > {code} > message Create { > // Subjects. > required Entity principals = 1; > // Objects? Perhaps the kind of volume? allowed permissions? > } > message Destroy { > // Subjects. > required Entity principals = 1; > // Objects. > required Entity creator_principals = 2; > } > {code} > When a framework creates a persistent volume, "create" ACLs are checked to > see if the framework (FrameworkInfo.principal) or the operator > (Credential.user) is authorized to create persistent volumes. If not > authorized, the create operation is rejected. > When a framework destroys a persistent volume, "destroy" ACLs are checked to > see if the framework (FrameworkInfo.principal) or the operator > (Credential.user) is authorized to destroy the persistent volume created by a > framework or operator (Resource.DiskInfo.principal). If not authorized, the > destroy operation is rejected. > A separate ticket will use the structures created here to enable > authorization of the "/create" and "/destroy" HTTP endpoints: > https://issues.apache.org/jira/browse/MESOS-3903 -- This message was sent by Atlassian JIRA (v6.3.4#6332)