[
https://issues.apache.org/jira/browse/MESOS-5335?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yongqiao Wang reassigned MESOS-5335:
------------------------------------
Assignee: Yongqiao Wang
> Add authorization to GET /weights
> ---------------------------------
>
> Key: MESOS-5335
> URL: https://issues.apache.org/jira/browse/MESOS-5335
> Project: Mesos
> Issue Type: Improvement
> Components: master, security
> Reporter: Adam B
> Assignee: Yongqiao Wang
> Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> We already authorize which http users can update weights for particular
> roles, but even knowing of the existence of these roles (let alone their
> weights) may be sensitive information. We should add authz around GET
> operations on /weights.
> Easy option: GET_ENDPOINT_WITH_PATH /weights
> - Pro: No new verb
> - Con: All or nothing
> Complex option: GET_WEIGHTS_WITH_ROLE
> - Pro: Filters contents based on roles the user is authorized to see
> - Con: More authorize calls (one per role in each /weights request)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
