With the latest Mesos 0.15.0 release, we are pleased to report that we’ve added initial authentication support for frameworks (see MESOS-418) connecting to Mesos. In a nutshell, this feature allows only authenticated frameworks to register with Mesos and launch tasks. Authentication is important as it prevents rogue frameworks from causing problems that may impact the usage of resources within a Mesos cluster.
Mesos uses the excellent Cyrus SASL library to provide authentication. SASL is a very flexible authentication framework that allows two endpoints to authenticate with each other and also has support for various authentication mechanisms (e.g., ANONYMOUS, PLAIN, CRAM-MD5, GSSAPI).
In this release, Mesos uses SASL with the CRAM-MD5 authentication mechanism. The process for enabling authentication begins with the creation of an authentication credential that is unique to the framework. This credential constitutes a principal and secret pair, where principal refers to the identity of the framework. Note that the ‘principal’ is different from the framework user (the Unix user which executors run as) or the resource role (role that has reserved certain resources on a slave). These credentials should be shipped to the Mesos master machines, as well as given access to the framework, meaning that both the framework and the Mesos masters should be started with these credentials.
Once authentication is enabled, Mesos masters only allow authenticated frameworks to register. Authentication for frameworks is performed under the hood by the new scheduler driver.
For specific instructions on how to do this please read the upgrade instructions.
Adding authentication support for slaves
Similar to adding authentication support to frameworks, it would be great to add authentication support to the slaves. Currently any node in the network can run a Mesos slave process and register with the Mesos master. Requiring slaves to authenticate with the master before registration would prevent rogue slaves from causing problems like DDoSing the master or getting access to users tasks in the cluster.
Integrating with Kerberos
Currently the authentication support via shared secrets between frameworks and masters is basic to benefit usability. To improve upon this basic approach, a more powerful solution would be to integrate with an industry standard authentication service like Kerberos. A nice thing about SASL and one of the reasons we picked it is because of its support for integration with GSSAPI/Kerberos. We plan to leverage this support to integrate Kerberos with Mesos.
Authentication is only part of the puzzle when it comes to deploying and running applications securely in the cloud. Another crucial component is data encryption. Currently all the messages that flow through the Mesos cluster are un-encrypted making it possible for intruders to intercept and potentially control your task. We plan to add encryption support by adding SSL support to libprocess, the low-level communication library that Mesos uses which is responsible for all network communication between Mesos components.
We are also investigating authorizing principals to allow them access to only a specific set of operations like launching tasks or using resources. In fact, you could imagine a world where an authenticated ‘principal’ will be authorized to on behalf of a subset of ‘user’s and ‘role’s for launching tasks and accepting resources respectively. This authorization information could be stored in a directory service like LDAP.
While a lot of people contributed to this feature, we would like to give special thanks to Ilim Igur, our Google Summer of Code intern who started this project and contributed to the initial design and implementation.