[ https://issues.apache.org/jira/browse/MESOS-5851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15382673#comment-15382673 ]
Zhitao Li edited comment on MESOS-5851 at 7/18/16 5:36 PM: ----------------------------------------------------------- Ideally, I hope Mesos can be un-opinionated about how operators run their clusters as much as it can. One thing I liked about the ACL system is that there is a "permissive" fields which regulates the default case. Sensitive organization can (and probably should) set {{permissive=false}} for their ACL system. Maybe we should also do something similar to authentication? For example, consider the following json: {quote} --http_endpoints_authenticate= { "permissive": false, // authenticate by default "unauthenticated": ["/master/state", "/metrics/snapshot"], // optional list of endpoints that's always unauthenticated regardless "authenticated": ["/reserve", "/unreserve", "/create-volume", "/destroy-volume"], // optional list of endpoints that's always authenticated regardless } {quote} then I believe this can satisfy any organization's need. Another thing I'd like to point out that authentication is used for providing {{principal}} for authorization, so any endpoint which requires AuthZ has to have AuthN turn on to be properly used. was (Author: zhitao): Ideally, I hope Mesos can be un-opinionated about how operators run their clusters as much as it can. One thing I liked about the ACL system is that there is a "permissive" fields which regulates the default case. Sensitive organization can (and probably should) set `permissive=false` for their ACL system. Maybe we should also do something similar to authentication? For example, consider the following json: ``` --http_endpoints_authenticate= { "permissive": false, // authenticate by default "unauthenticated": ["/master/state", "/metrics/snapshot"], // optional list of endpoints that's always unauthenticated regardless "authenticated": ["/reserve", "/unreserve", "/create-volume", "/destroy-volume"], // optional list of endpoints that's always authenticated regardless } ``` then I believe this can satisfy any organization's need. Another thing I'd like to point out that authentication is used for providing `principal` for authorization, so any endpoint which requires AuthZ has to have AuthN turn on to be properly used. > Create mechanism to control authentication between different HTTP endpoints > --------------------------------------------------------------------------- > > Key: MESOS-5851 > URL: https://issues.apache.org/jira/browse/MESOS-5851 > Project: Mesos > Issue Type: Bug > Components: libprocess > Affects Versions: 1.0.0 > Reporter: Zhitao Li > Labels: mesosphere, security > > All endpoints authentication is controlled by one single flag. We need this > flag to be on so that `/reserve` `/unreserve` can get a principal. > However, after 1.0, we cannot access important readonly endpoints > `/master/state/` and `/metric/snapshot/` anymore w/o a password. The latter > is detrimental on usability because many users don't have the supporting > infra to distribute such metrics into every metrics collecting process yet. > I'm looking towards a mechanism to at least allow unauthenticated access to > selective whitelisted endpoints while keep endpoints requiring AuthN/AuthZ > still protected. > quoting Joseph Wu, "we want a `--authenticate_http=true, but don't check` > option" -- This message was sent by Atlassian JIRA (v6.3.4#6332)