[ https://issues.apache.org/jira/browse/MESOS-1678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14088409#comment-14088409 ]
Joe Smith commented on MESOS-1678: ---------------------------------- Yep, sounds great! > Any framework with credentials can kill any other framework via http > -------------------------------------------------------------------- > > Key: MESOS-1678 > URL: https://issues.apache.org/jira/browse/MESOS-1678 > Project: Mesos > Issue Type: Story > Reporter: Joe Smith > > Looking through [the review introducing the /shutdown http > endpoint|https://reviews.apache.org/r/22832], it appears that any framework's > credentials can be used to shutdown any other framework: > Around line 650: > {code} > foreach (const Credential& credential, master->credentials.get().http()) { > if (credential.principal() == username && > (!credential.has_secret() || credential.secret() == password)) { > // TODO(ijimenez) make removeFramework asynchronously > master->removeFramework(framework); > return OK(); > } > } > {code} > Thanks to [~adam-mesos], I looked into in [authorization > doc|https://github.com/apache/mesos/blob/master/docs/authorization.md], > however I don't see where the ACL-checking is happening within that code. -- This message was sent by Atlassian JIRA (v6.2#6252)