[jira] [Commented] (MESOS-3024) HTTP endpoint authN is enabled merely by specifying --credentials

Tue, 10 Nov 2015 16:47:32 -0800 

    [ 
https://issues.apache.org/jira/browse/MESOS-3024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14999696#comment-14999696
 ] 

Marco Massenzio commented on MESOS-3024:
----------------------------------------

I am unclear about this:
{quote}
It would be great if there was also such a flag for framework authentication.
{quote}
Is this a typo? ({{--authenticate}} does exactly that)

Looking at 
[master/http.cpp|https://github.com/apache/mesos/blob/master/src/master/http.cpp#L375]:
{code}
  if (master->flags.authenticate_frameworks) {
    return Unauthorized(
        "Mesos master",
        "HTTP schedulers are not supported when authentication is required");
  }
{code}

It seems to me that the HTTP API requires authentication for *all* request 
types; and that is required only when {{--authenticate}} is set on the master: 
when [master sets the {{credentials}} 
flag|https://github.com/apache/mesos/blob/master/src/master/master.cpp#L425] 
the former is not touched.

To test this, I launched a Master with {{--credentials}} but no 
{{--authenticate}} and then registered a framework via the HTTP API and also 
received an offer - it all worked just fine.

I am assuming here that I'm missing something fundamental, can folks please 
clarify what the issue is?

Thanks!

> HTTP endpoint authN is enabled merely by specifying --credentials
> -----------------------------------------------------------------
>
>                 Key: MESOS-3024
>                 URL: https://issues.apache.org/jira/browse/MESOS-3024
>             Project: Mesos
>          Issue Type: Bug
>          Components: master, security
>            Reporter: Adam B
>            Assignee: Marco Massenzio
>              Labels: authentication, http, mesosphere
>
> If I set `--credentials` on the master, framework and slave authentication 
> are allowed, but not required. On the other hand, http authentication is now 
> required for authenticated endpoints (currently only `/shutdown`). That means 
> that I cannot enable framework or slave authentication without also enabling 
> http endpoint authentication. This is undesirable.
> Framework and slave authentication have separate flags (`\--authenticate` and 
> `\--authenticate_slaves`) to require authentication for each. It would be 
> great if there was also such a flag for framework authentication. Or maybe we 
> get rid of these flags altogether and rely on ACLs to determine which 
> unauthenticated principals are even allowed to authenticate for each 
> endpoint/action.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to