[
https://issues.apache.org/jira/browse/MESOS-5851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15382673#comment-15382673
]
Zhitao Li edited comment on MESOS-5851 at 7/18/16 5:37 PM:
-----------------------------------------------------------
Ideally, I hope Mesos can be un-opinionated about how operators run their
clusters as much as it can.
One thing I liked about the ACL system is that there is a "permissive" fields
which regulates the default case. Sensitive organization can (and probably
should) set {{permissive=false}} for their ACL system. Maybe we should also do
something similar to authentication?
For example, consider the following json:
{quote}
--http_endpoints_authenticate=
{
"permissive": false,
"unauthenticated": ["/master/state", "/metrics/snapshot"],
"authenticated": ["/reserve", "/unreserve", "/create-volume",
"/destroy-volume"],
}
{quote}
As long as {{unauthenticated}} and {{authenticated}} are both optional, I
believe this can satisfy any organization's need.
Another thing I'd like to point out that authentication is used for providing
{{principal}} for authorization, so any endpoint which requires AuthZ has to
have AuthN turn on to be properly used.
was (Author: zhitao):
Ideally, I hope Mesos can be un-opinionated about how operators run their
clusters as much as it can.
One thing I liked about the ACL system is that there is a "permissive" fields
which regulates the default case. Sensitive organization can (and probably
should) set {{permissive=false}} for their ACL system. Maybe we should also do
something similar to authentication?
For example, consider the following json:
{quote}
--http_endpoints_authenticate=
{
"permissive": false, // authenticate by default
"unauthenticated": ["/master/state", "/metrics/snapshot"], // optional list
of endpoints that's always unauthenticated regardless
"authenticated": ["/reserve", "/unreserve", "/create-volume",
"/destroy-volume"], // optional list of endpoints that's always authenticated
regardless
}
{quote}
then I believe this can satisfy any organization's need.
Another thing I'd like to point out that authentication is used for providing
{{principal}} for authorization, so any endpoint which requires AuthZ has to
have AuthN turn on to be properly used.
> Create mechanism to control authentication between different HTTP endpoints
> ---------------------------------------------------------------------------
>
> Key: MESOS-5851
> URL: https://issues.apache.org/jira/browse/MESOS-5851
> Project: Mesos
> Issue Type: Bug
> Components: libprocess
> Affects Versions: 1.0.0
> Reporter: Zhitao Li
> Labels: mesosphere, security
>
> All endpoints authentication is controlled by one single flag. We need this
> flag to be on so that `/reserve` `/unreserve` can get a principal.
> However, after 1.0, we cannot access important readonly endpoints
> `/master/state/` and `/metric/snapshot/` anymore w/o a password. The latter
> is detrimental on usability because many users don't have the supporting
> infra to distribute such metrics into every metrics collecting process yet.
> I'm looking towards a mechanism to at least allow unauthenticated access to
> selective whitelisted endpoints while keep endpoints requiring AuthN/AuthZ
> still protected.
> quoting Joseph Wu, "we want a `--authenticate_http=true, but don't check`
> option"
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
