Authorizer plugin extension should provide more info than just the PathId

[metskem]

Hi, I have posted this question earlier at https://github.com/mesosphere/marathon/issues/2905, but maybe that wasn't the best place to ask, so posting here now.

We have been playing around with the new plugin extensions. The authentication plugin is fine for us, we could implement some LDAP based authentication in there.

We also had a look at the Authorizer plugin, but we think it's usability (for us) is a bit limited because parameters passed on the isAuthorized() method do not offer enough information. The current method parameters are : Identity, Action and Path. And I think we would like to have the complete App at our disposal.

A bit background and intended use case information:

The primary use case for using the plugins is offering reliable multi-tenancy. We expect dozens of teams to work in the same mesos/marathon cluster. We like to isolate teams from each other:

• they should not see each other's apps (to prevent them from having to scroll through long lists)
• they should not be able to do anything with apps of other teams

Also, we like to put some validations in place, for example:

• put limits on the frequency of healthchecks (we have seen marathon choke in itself because of this)
• prohibit insane upgradeStrategies
• put restrictions on the use of certain constraints (maybe we have "special slave machines" that not everyone is supposed to use).
• have a sort of ownership of an app and (dis)allow actions on apps based on the ownership. I think we could use labels to administer ownership.

Also we would like to have some sort of auditing.

Since we now only have th PathId, we don't think that the above is possible.

What is your advise ?

thanks in advance, Harry

[aquamatthias]

Answered in mesosphere/marathon#2905.