[
https://issues.apache.org/jira/browse/MESOS-5336?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15280485#comment-15280485
]
Zhitao Li commented on MESOS-5336:
----------------------------------
I think I can come up with an implementation for {{GET_QUOTA_WITH_ROLE}} using
{{stout::collect}} on a list of futures.
Question: if we have {{GET_QUOTA_WITH_ROLE}}, do you think we still want to
guard {{/quota}} endpoint with {{GET_ENDPOINT_WITH_PATH}}? The closest
alternative would be an ACL of {{ANY}} or {{NONE}} role, but it probably would
return empty map rather than {{Forbidden}}.
I have no strong opinion here. I'll try a diff on top my previous review while
wait for your answer.
> Add authorization to GET /quota
> -------------------------------
>
> Key: MESOS-5336
> URL: https://issues.apache.org/jira/browse/MESOS-5336
> Project: Mesos
> Issue Type: Improvement
> Components: master, security
> Reporter: Adam B
> Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> We already authorize which http users can set/remove quota for particular
> roles, but even knowing of the existence of these roles (let alone their
> quotas) may be sensitive information. We should add authz around GET
> operations on /quota.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
