[
https://issues.apache.org/jira/browse/MESOS-5851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15389196#comment-15389196
]
Adam B commented on MESOS-5851:
-------------------------------
I left out the endpoint help doc changes, as those require a little more
thought, and can wait until after Mesos 1.0.
commit e8ebbe5fe4189ef7ab046da2276a6abee41deeb2
Author: Greg Mann <[email protected]>
Date: Fri Jul 22 01:53:23 2016 -0700
Updated CHANGELOG for new HTTP authentication flags.
Review: https://reviews.apache.org/r/50332/
commit 70af2b04f038becb71108896f1c354477d55cb07
Author: Greg Mann <[email protected]>
Date: Fri Jul 22 01:51:01 2016 -0700
Updated upgrades.md for new HTTP authentication flags.
Review: https://reviews.apache.org/r/50333/
commit 52ae4a97b5581e74841feeccaba1b6c7d8ec311f
Author: Greg Mann <[email protected]>
Date: Fri Jul 22 01:42:38 2016 -0700
Added readonly/readwrite auth flags to the docs.
Review: https://reviews.apache.org/r/50322/
commit 6da4d2c90f25497eab0f3fdfb6cf039b50304fe1
Author: Zhitao Li <[email protected]>
Date: Fri Jul 22 01:19:51 2016 -0700
Refactored common HTTP authenticator initialize into helper function.
Review: https://reviews.apache.org/r/50320/
commit f6fea54bd744ca7fc698449b2879b03ae1cb0ed4
Author: Zhitao Li <[email protected]>
Date: Thu Jul 21 23:43:34 2016 -0700
Separated AuthN for readonly and readwrite endpoints in Mesos.
Changes included:
- separate flags for readonly and readwrite endpoints;
- helper function for registering http authenticator;
- fixing existing tests.
Review: https://reviews.apache.org/r/50223/
commit 3a52c3d65f311a9582de48ff58f721d047dd12fd
Author: Zhitao Li <[email protected]>
Date: Thu Jul 21 22:39:02 2016 -0700
Separated readonly and readwrite realms in libprocess.
Review: https://reviews.apache.org/r/50277/
> Create mechanism to control authentication between different HTTP endpoints
> ---------------------------------------------------------------------------
>
> Key: MESOS-5851
> URL: https://issues.apache.org/jira/browse/MESOS-5851
> Project: Mesos
> Issue Type: Bug
> Components: libprocess
> Affects Versions: 1.0.0
> Reporter: Zhitao Li
> Assignee: Zhitao Li
> Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> All endpoints authentication is controlled by one single flag. We need this
> flag to be on so that `/reserve` `/unreserve` can get a principal.
> However, after 1.0, we cannot access important readonly endpoints
> `/master/state/` and `/metric/snapshot/` anymore w/o a password. The latter
> is detrimental on usability because many users don't have the supporting
> infra to distribute such metrics into every metrics collecting process yet.
> I'm looking towards a mechanism to at least allow unauthenticated access to
> selective whitelisted endpoints while keep endpoints requiring AuthN/AuthZ
> still protected.
> quoting Joseph Wu, "we want a `--authenticate_http=true, but don't check`
> option"
> Proposed endpoint to realm grouping by [~zhitao]
> {quote}
> /////////////
> // Common realms shared by both master and agent
> ////////////
> FLAGS
> - /flags
>
> FILES
> - /files/browse
> - /files/browse.json
> - /files/debug
> - /files/debug.json
> - /files/download
> - /files/download.json
> - /files/read
> - /files/read.json
>
> LOGGING
> - /logging/toggle
>
> METRICS
> - /metrics/snapshot
>
> PROFILER
> - /profiler/start
> - /profiler/stop
>
> SYSTEMS
> - /system/stats.json
>
> VERSIONS
> - /version
>
> /////////////////
> // Additional master only realms
> ////////////////
> MAINTENANCE
> - /machine/down
> - /machine/up
> - /maintenance/schedule
> - /maintenance/status
>
> OPERATORS
> - /api/v1
>
> SCHEDULERS
> - /api/v1/scheduler
>
> REGISTRARS
> - /registrar(id)/registry
>
> RESERVATIONS
> - /reserve
> - /unreserve
> - /quota
> - /weights
>
> TEARDOWN
> - /teardown
>
> VIEWS
> - /frameworks
> - /roles
> - /roles.json
> - /slaves
> - /state
> - /state-summary
> - /state.json
> - /tasks
> - /tasks.json
>
> VOLUMES
> - /create-volumes
> - /destroy-volumes
>
> UNAUTHENTICATED
> - /health
> - /redirect
>
> ////////////////
> // Additional agent realms
> ////////////////
>
> OPERATORS
> - /api/v1
>
> VIEWS
> - /containers
> - /monitor/statistics
> - /monitor/statistics.json
> - /state
> - /state.json
>
> UNAUTHENTICATED
> - /api/v1/executor
> - /health
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
