[
https://issues.apache.org/jira/browse/MESOS-7203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gavin updated MESOS-7203:
-------------------------
Comment: was deleted
(was: www.rtat.net)
> Add a '--require_http_authentication' flag
> ------------------------------------------
>
> Key: MESOS-7203
> URL: https://issues.apache.org/jira/browse/MESOS-7203
> Project: Mesos
> Issue Type: Improvement
> Components: security
> Reporter: Greg Mann
> Priority: Major
> Labels: authentication, http, mesosphere
>
> The current HTTP authentication implementation in Mesos makes it difficult to
> properly authorize some operations when authentication is not enabled. The
> {{UNRESERVE}} and {{DESTROY}} operations use a {{principal}} field stored in
> {{ReservationInfo}}/{{DiskInfo}} for authorization. This means that in order
> to authorize properly, the principal responsible for the reservation/volume
> must be available when the {{RESERVE}}/{{CREATE}} operation is performed.
> However, if HTTP authentication is not enabled, then operators are not able
> to provide a principal.
> In order to resolve this issue, a new {{\-\-require_http_authentication}}
> field could be added. This flag would complement the
> {{\-\-http_authenticators}} flag. The new behavior would be as follows:
> * If {{\-\-http_authenticators}} is set but
> {{\-\-require_http_authentication}} is not set, the authenticators would be
> loaded as specified, but unauthenticated requests would be permitted. In the
> case of an HTTP request containing an {{Authorization}} header, the header
> would be used to construct a {{Principal}} to be passed to the handlers.
> * If {{\-\-http_authenticators}} is set and
> {{\-\-require_http_authentication}} is also set, the {{Principal}} would be
> extracted and passed to handlers as before, but all requests without an
> authenticated principal would be rejected.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
