[
https://issues.apache.org/jira/browse/MESOS-5710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15350138#comment-15350138
]
Adam B commented on MESOS-5710:
-------------------------------
This is not new, and is not limited just to /logging/toggle, so I think we can
defer this past 1.0.
> The /logging/toggle endpoint accepts requests with any http method
> ------------------------------------------------------------------
>
> Key: MESOS-5710
> URL: https://issues.apache.org/jira/browse/MESOS-5710
> Project: Mesos
> Issue Type: Task
> Reporter: Adam B
> Assignee: Adam B
> Priority: Minor
> Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> Any of a GET, POST, PUT, or DELETE to
> `<master>/logging/toggle?level=INFO&duration=5mins` will set the log level
> and return 200. To be consistent with REST-like syntax, DELETE, GET, and even
> POST are wrong and should return a MethodNotAllowed.
> Once this endpoint no longer accepts GET, it is no longer appropriate to use
> the GET_ENDPOINT acl here. Instead we could create a new
> PUT_ENDPOINT_WITH_PATH acl (which hopefully ignores query params), or add a
> first-class TOGGLE_LOGGING acl.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
