[
https://issues.apache.org/jira/browse/MESOS-5851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15385119#comment-15385119
]
Greg Mann commented on MESOS-5851:
----------------------------------
[~zhitao], thanks for putting together that suggested list of realms; I think
the realm approach could work well. Perhaps we could merge a few of the other
endpoints into the {{VIEWS}} realm? {{/metrics/snapshot,
/registrar(id)/registry, /flags, and /version}} seem like they might belong.
We could also consider grouping together more of the endpoints that modify
cluster state. We could combine the MAINTENANCE, OPERATORS, SCHEDULERS,
RESERVATIONS, TEARDOWN, and VOLUMES realms.
What do you think?
> Create mechanism to control authentication between different HTTP endpoints
> ---------------------------------------------------------------------------
>
> Key: MESOS-5851
> URL: https://issues.apache.org/jira/browse/MESOS-5851
> Project: Mesos
> Issue Type: Bug
> Components: libprocess
> Affects Versions: 1.0.0
> Reporter: Zhitao Li
> Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> All endpoints authentication is controlled by one single flag. We need this
> flag to be on so that `/reserve` `/unreserve` can get a principal.
> However, after 1.0, we cannot access important readonly endpoints
> `/master/state/` and `/metric/snapshot/` anymore w/o a password. The latter
> is detrimental on usability because many users don't have the supporting
> infra to distribute such metrics into every metrics collecting process yet.
> I'm looking towards a mechanism to at least allow unauthenticated access to
> selective whitelisted endpoints while keep endpoints requiring AuthN/AuthZ
> still protected.
> quoting Joseph Wu, "we want a `--authenticate_http=true, but don't check`
> option"
> Proposed endpoint to realm grouping by [~zhitao]
> {quote}
> /////////////
> // Common realms shared by both master and agent
> ////////////
> FLAGS
> - /flags
>
> FILES
> - /files/browse
> - /files/browse.json
> - /files/debug
> - /files/debug.json
> - /files/download
> - /files/download.json
> - /files/read
> - /files/read.json
>
> LOGGING
> - /logging/toggle
>
> METRICS
> - /metrics/snapshot
>
> PROFILER
> - /profiler/start
> - /profiler/stop
>
> SYSTEMS
> - /system/stats.json
>
> VERSIONS
> - /version
>
> /////////////////
> // Additional master only realms
> ////////////////
> MAINTENANCE
> - /machine/down
> - /machine/up
> - /maintenance/schedule
> - /maintenance/status
>
> OPERATORS
> - /api/v1
>
> SCHEDULERS
> - /api/v1/scheduler
>
> REGISTRARS
> - /registrar(id)/registry
>
> RESERVATIONS
> - /reserve
> - /unreserve
> - /quota
> - /weights
>
> TEARDOWN
> - /teardown
>
> VIEWS
> - /frameworks
> - /roles
> - /roles.json
> - /slaves
> - /state
> - /state-summary
> - /state.json
> - /tasks
> - /tasks.json
>
> VOLUMES
> - /create-volumes
> - /destroy-volumes
>
> UNAUTHENTICATED
> - /health
> - /redirect
>
> ////////////////
> // Additional agent realms
> ////////////////
>
> OPERATORS
> - /api/v1
>
> VIEWS
> - /containers
> - /monitor/statistics
> - /monitor/statistics.json
> - /state
> - /state.json
>
> UNAUTHENTICATED
> - /api/v1/executor
> - /health
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
