[jira] [Commented] (MESOS-3024) HTTP endpoint authN is enabled merely by specifying --credentials

Tue, 10 Nov 2015 16:50:58 -0800 

    [ 
https://issues.apache.org/jira/browse/MESOS-3024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14999702#comment-14999702
 ] 

Marco Massenzio commented on MESOS-3024:
----------------------------------------

BTW - shutting down the framework works too:
{noformat}
I1111 00:48:02.558192  2789 http.cpp:336] HTTP POST for 
/master//api/v1/scheduler from 192.168.33.1:52509 with 
User-Agent='python-requests/2.7.0 CPython/2.7.10 Darwin/15.0.0'
I1111 00:48:02.558320  2789 master.cpp:5571] Removing framework 
0878d422-0e83-4b15-8a26-f04a6e3d829f-0000 (Example HTTP Framework)
I1111 00:48:02.558527  2789 hierarchical.hpp:599] Deactivated framework 
0878d422-0e83-4b15-8a26-f04a6e3d829f-0000
I1111 00:48:02.558600  2789 hierarchical.hpp:1103] Recovered 
ports(*):[9000-10000]; ephemeral_ports(*):[32768-57344]; cpus(*):1; mem(*):496; 
disk(*):35164 (total: ports(*):[9000-10000]; ephemeral_ports(*):[32768-57344]; 
cpus(*):1; mem(*):496; disk(*):35164, allocated: ) on slave 
e08833af-00af-44c6-abd1-bc666b1949c0-S0 from framework 
0878d422-0e83-4b15-8a26-f04a6e3d829f-0000
I1111 00:48:02.558624  2789 hierarchical.hpp:552] Removed framework 
0878d422-0e83-4b15-8a26-f04a6e3d829f-0000
{noformat}
no authentication provided on this call either.

> HTTP endpoint authN is enabled merely by specifying --credentials
> -----------------------------------------------------------------
>
>                 Key: MESOS-3024
>                 URL: https://issues.apache.org/jira/browse/MESOS-3024
>             Project: Mesos
>          Issue Type: Bug
>          Components: master, security
>            Reporter: Adam B
>            Assignee: Marco Massenzio
>              Labels: authentication, http, mesosphere
>
> If I set `--credentials` on the master, framework and slave authentication 
> are allowed, but not required. On the other hand, http authentication is now 
> required for authenticated endpoints (currently only `/shutdown`). That means 
> that I cannot enable framework or slave authentication without also enabling 
> http endpoint authentication. This is undesirable.
> Framework and slave authentication have separate flags (`\--authenticate` and 
> `\--authenticate_slaves`) to require authentication for each. It would be 
> great if there was also such a flag for framework authentication. Or maybe we 
> get rid of these flags altogether and rely on ACLs to determine which 
> unauthenticated principals are even allowed to authenticate for each 
> endpoint/action.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to