[
https://issues.apache.org/jira/browse/MESOS-3143?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Artem Harutyunyan updated MESOS-3143:
-------------------------------------
Story Points: 2
> Disable endpoints rule fails to recognize HTTP path delegates
> -------------------------------------------------------------
>
> Key: MESOS-3143
> URL: https://issues.apache.org/jira/browse/MESOS-3143
> Project: Mesos
> Issue Type: Bug
> Components: libprocess, master, slave
> Affects Versions: 0.23.0
> Reporter: Alexander Rojas
> Labels: easyfix, mesosphere, security
>
> In mesos, one can use the flag {{--firewall_rules}} to disable endpoints.
> Disabled endpoints will return a _403 Forbidden_ response whenever someone
> tries to access endpoints.
> Libprocess support adding one default delegate for endpoints, which is the
> default process id which handles endpoints if no process id was given. For
> example, the default id of the master libprocess process is {{master}} which
> is also set as the delegate for the master system process, so a request to
> the endpoint {{http://master-address:5050/state.json}} will effectively be
> resolved by {{http://master-address:5050/master/state.json}}. But if one
> disables {{/state.json}} because of how delegates work, it can still access
> {{/master/state.json}}.
> The only workaround is to disabled both enpoints.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
