[
https://issues.apache.org/jira/browse/MESOS-5150?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15347978#comment-15347978
]
Adam B commented on MESOS-5150:
-------------------------------
commit 9c9823bf5b6940e4f05fdae4fa0b339af7a57171
Author: Alexander Rojas <[email protected]>
Date: Fri Jun 24 00:25:43 2016 -0700
Enabled fine grained authorization in the Agent.
While information about frameworks, executors and tasks were well
protected in the master, this information was not protected in the
agents, which enabled unauthorized users to verify the data by getting
the agent `/state` endpoint. This was particularly pressing since the
Mesos UI would work as a proxy for agents endpoints so even being
behind a firewall would not had been enough.
Review: https://reviews.apache.org/r/49082/
> Authorize Agent HTTP Endpoints
> ------------------------------
>
> Key: MESOS-5150
> URL: https://issues.apache.org/jira/browse/MESOS-5150
> Project: Mesos
> Issue Type: Epic
> Components: security, slave
> Reporter: Adam B
> Assignee: Alexander Rojas
> Priority: Blocker
> Labels: agent, authorization, mesosphere, security, slave
> Fix For: 1.0.0
>
>
> As we add authentication in agent http endpoint handlers in MESOS-4847, we
> now have the opportunity to perform ACL-based authorization on these
> endpoints.
> Most important is the authorization of the /files endpoints, as those allow
> access to executor sandboxes (and agent logs), and the operator may wish to
> control which users may access which sandboxes.
> Similarly, the operator may only want certain users to be able to view agent
> flags, change logging level, enable the profiler, etc.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
