Adam B created MESOS-3024:
-----------------------------
Summary: HTTP endpoint authN is enabled merely by specifying
--credentials
Key: MESOS-3024
URL: https://issues.apache.org/jira/browse/MESOS-3024
Project: Mesos
Issue Type: Bug
Components: master, security
Reporter: Adam B
If I set `--credentials` on the master, framework and slave authentication are
allowed, but not required. On the other hand, http authentication is now
required for authenticated endpoints (currently only `/shutdown`). That means
that I cannot enable framework or slave authentication without also enabling
http endpoint authentication. This is undesirable.
Framework and slave authentication have separate flags (`--authenticate` and
`--authenticate_slaves`) to require authentication for each. It would be great
if there was also such a flag for framework authentication. Or maybe we get rid
of these flags altogether and rely on ACLs to determine which unauthenticated
principals are even allowed to authenticate for each endpoint/action.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
