[jira] [Commented] (MESOS-5708) Add authz to /files/debug

2016-07-10 Thread Adam B (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15369473#comment-15369473
 ] 

Adam B commented on MESOS-5708:
---

commit 49db3424bb6ad906596449668735dafbe744626f
Author: Abhishek Dasgupta 
Date:   Sun Jul 10 00:56:42 2016 -0700

Added text for authorization in endpoint docs for '/files/debug'.

Review: https://reviews.apache.org/r/49794/


> Add authz to /files/debug
> -
>
> Key: MESOS-5708
> URL: https://issues.apache.org/jira/browse/MESOS-5708
> Project: Mesos
>  Issue Type: Task
>  Components: security
>Reporter: Adam B
>Assignee: Abhishek Dasgupta
>Priority: Minor
>  Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> The /files/debug endpoint exposes the attached master/agent log paths and 
> every attached sandbox path, which includes the frameworkId and executorId. 
> Even if sandboxes are protected, we still don't want to expose this 
> information to unauthorized users.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5708) Add authz to /files/debug

2016-07-08 Thread Abhishek Dasgupta (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15367411#comment-15367411
 ] 

Abhishek Dasgupta commented on MESOS-5708:
--

We missed to update '/files/debug' endpoint document for authorization.
Posted a trivial patch for this : https://reviews.apache.org/r/49794/

> Add authz to /files/debug
> -
>
> Key: MESOS-5708
> URL: https://issues.apache.org/jira/browse/MESOS-5708
> Project: Mesos
>  Issue Type: Task
>  Components: security
>Reporter: Adam B
>Assignee: Abhishek Dasgupta
>Priority: Minor
>  Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> The /files/debug endpoint exposes the attached master/agent log paths and 
> every attached sandbox path, which includes the frameworkId and executorId. 
> Even if sandboxes are protected, we still don't want to expose this 
> information to unauthorized users.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5708) Add authz to /files/debug

2016-07-04 Thread Abhishek Dasgupta (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15361635#comment-15361635
 ] 

Abhishek Dasgupta commented on MESOS-5708:
--

RR: https://reviews.apache.org/r/49600/

> Add authz to /files/debug
> -
>
> Key: MESOS-5708
> URL: https://issues.apache.org/jira/browse/MESOS-5708
> Project: Mesos
>  Issue Type: Task
>  Components: security
>Reporter: Adam B
>Assignee: Abhishek Dasgupta
>Priority: Minor
>  Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> The /files/debug endpoint exposes the attached master/agent log paths and 
> every attached sandbox path, which includes the frameworkId and executorId. 
> Even if sandboxes are protected, we still don't want to expose this 
> information to unauthorized users.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5708) Add authz to /files/debug

2016-07-02 Thread Alexander Rojas (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15360109#comment-15360109
 ] 

Alexander Rojas commented on MESOS-5708:


The only issue there is if we want to construct the files object with an 
authorizer, or if {{/files/debug}} should use a callback function as the 
sandboxes are protected. I like the first one better because its consistent 
with how the authorizers are build, but the second separates the files for even 
having to know about an authorizer.

> Add authz to /files/debug
> -
>
> Key: MESOS-5708
> URL: https://issues.apache.org/jira/browse/MESOS-5708
> Project: Mesos
>  Issue Type: Task
>  Components: security
>Reporter: Adam B
>Assignee: Abhishek Dasgupta
>Priority: Minor
>  Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> The /files/debug endpoint exposes the attached master/agent log paths and 
> every attached sandbox path, which includes the frameworkId and executorId. 
> Even if sandboxes are protected, we still don't want to expose this 
> information to unauthorized users.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5708) Add authz to /files/debug

2016-07-01 Thread Adam B (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5708?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15359793#comment-15359793
 ] 

Adam B commented on MESOS-5708:
---

Hi [~a10gupta], thanks for signing up for this JIRA. We'd love to get it into 
the upcoming 1.0.0-rc2, and I'd be happy to shepherd you. After speaking to 
[~arojas], we were thinking of using coarse-grained authentication to secure 
the debug endpoint as a whole with a GET_ENDPOINT_WITH_PATH  "/files/debug" 
ACL. Thoughts, questions, patches?
If you don't have time in the next week, we may take the patch over so we can 
land it in time.

> Add authz to /files/debug
> -
>
> Key: MESOS-5708
> URL: https://issues.apache.org/jira/browse/MESOS-5708
> Project: Mesos
>  Issue Type: Task
>  Components: security
>Reporter: Adam B
>Assignee: Abhishek Dasgupta
>Priority: Minor
>  Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> The /files/debug endpoint exposes the attached master/agent log paths and 
> every attached sandbox path, which includes the frameworkId and executorId. 
> Even if sandboxes are protected, we still don't want to expose this 
> information to unauthorized users.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)