[ https://issues.apache.org/jira/browse/MESOS-5588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15335506#comment-15335506 ]
Alexander Rojas commented on MESOS-5588: ---------------------------------------- # What you describe is not an ACLs problem but it affects every protobuf/json conversion in Mesos, so probably we should open another Jira entry for that. # I do not think the behavior you describe is a blocker, since it doesn't represent a regression nor a change in the API, the patch provided deals with the blocked part. But what you suggest sounds more like a low priority whish. > Improve error handling when parsing acls. > ----------------------------------------- > > Key: MESOS-5588 > URL: https://issues.apache.org/jira/browse/MESOS-5588 > Project: Mesos > Issue Type: Improvement > Reporter: Joerg Schad > Assignee: Joerg Schad > Priority: Blocker > Labels: mesosphere, security > Fix For: 1.0.0 > > > During parsing of the authorizer errors are ignored. This can lead to > undetected security issues. > Consider the following acl with an typo (usr instead of user) > {code} > "view_frameworks": [ > { > "principals": { "type": "ANY" }, > "usr": { "type": "NONE" } > } > ] > {code} > When the master is started with these flags it will interprete the acl int he > following way which gives any principal access to any framework. > {noformat} > view_frameworks { > principals { > type: ANY > } > } > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)