search

twosigma / Cook

Fair job scheduler on Kubernetes and Mesos for batch workloads and Spark
Apache License 2.0
338 stars 63 forks source link

Mesos framework principal secret #174

Open m4ce opened 8 years ago

m4ce commented 8 years ago

Hi,

is there any way of specifying the principal's secret for the Cook mesos framework?

Kind regards, Matteo

wyegelwel commented 8 years ago

I want to make sure I answer the correct question; is this the principal in this case running cook or the client? And is the concern a client talking to cook or cook talking to mesos?

m4ce commented 8 years ago

it's the principal for the mesos cook framework, so cook talking to mesos (see http://mesos.apache.org/documentation/latest/authentication/).

wyegelwel commented 8 years ago

We don't currently have support for setting the principal's secret however we would be thrilled to accept a PR for it. If you would be interested in working on it, I can point you to the places in the code I expect need to change to make it happen.

m4ce commented 8 years ago

Hi @wyegelwel,

I'm not such a clojure developer. However, I would be interested in contributing. If you could point out where the changes should happen, I'll give it a shot.

Thanks, Matteo

wyegelwel commented 8 years ago

Hey @m4ce,

Sorry for the delay, I was on vacation =)

I think it should require changes in a few places:

  1. https://github.com/twosigma/Cook/blob/master/scheduler/src/cook/mesos.clj#L135 to include a secret if it is set. I would recommend using cond here
  2. https://github.com/twosigma/Cook/blob/master/scheduler/src/cook/mesos.clj#L80 to take a mesos-secret as a parameter
  3. https://github.com/twosigma/Cook/blob/master/scheduler/src/cook/components.clj#L81 to grab mesos-secret out of settings and pass it to start-mesos-scheduler
  4. https://github.com/twosigma/Cook/blob/master/scheduler/src/cook/components.clj#L267 add a default for mesos-secret (nil is a good choice)
  5. https://github.com/twosigma/Cook/blob/master/scheduler/src/cook/components.clj#L342 add a line to pull mesos-secret out of the config (should look like mesos-principal)

Let me know if any of those doesn't make sense.

cnocito commented 7 years ago

Hi,

Sorry, I'm confused by this. How is the principal without a secret supposed to work? I'm not sure I understand the use case or how a mesos principal can be used without authentication.

Thanks, Carlos

PerilousApricot commented 7 years ago

@wyegelwel - Would you still accept a PR for this functionality? Like a followup comment mentioned, I'm not sure how it works to accept mesos principals and not their corresponding secret

DaoWen commented 7 years ago

@PerilousApricot - I think our principals might be working without secrets right now by using Kerberos. As for the PR, if Wil said we'd accept it before, I can't see why we wouldn't want it now. However, before you go and write all the code, I suggest that you outline your design for the patch here. (That will lessen the chance of needing to make major revisions on the PR after you open it.)

PerilousApricot commented 7 years ago

@DaoWen Excellent. It's been a few years since I've done lisp-y things, so hopefully it comes back easily...

In terms of the PR, I think the outline posted above makes sense. I would probably work by plumbing the secret alongside the principal as it wends its way from the configuration layer to the mesos layer then pass it along to mesos if it isn't nil