Adam B created MESOS-5705:
-----------------------------
Summary: ZK credential is exposed in /flags and /state
Key: MESOS-5705
URL: https://issues.apache.org/jira/browse/MESOS-5705
Project: Mesos
Issue Type: Task
Components: master, security
Reporter: Adam B
Fix For: 1.0.0
Mesos allows zk credentials to be embedded in the zk url, but exposes these
credentials in the /flags and /state endpoint. Even though /state is
authorized, it only filters out frameworks/tasks, so the top-level flags are
shown to any authenticated user.
"zk": "zk://dcos_mesos_master:[email protected]:2181/mesos",
We need to find some way to hide this data, or even add a first-class
VIEW_FLAGS acl that applies to any endpoint that exposes flags.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
