[
https://issues.apache.org/jira/browse/MESOS-5705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Adam B updated MESOS-5705:
--------------------------
Priority: Critical (was: Major)
> ZK credential is exposed in /flags and /state
> ---------------------------------------------
>
> Key: MESOS-5705
> URL: https://issues.apache.org/jira/browse/MESOS-5705
> Project: Mesos
> Issue Type: Task
> Components: master, security
> Reporter: Adam B
> Priority: Critical
> Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> Mesos allows zk credentials to be embedded in the zk url, but exposes these
> credentials in the /flags and /state endpoint. Even though /state is
> authorized, it only filters out frameworks/tasks, so the top-level flags are
> shown to any authenticated user.
> "zk": "zk://dcos_mesos_master:[email protected]:2181/mesos",
> We need to find some way to hide this data, or even add a first-class
> VIEW_FLAGS acl that applies to any endpoint that exposes flags.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
