Alexander Rukletsov created MESOS-9638: ------------------------------------------
Summary: Mesos masters do no authenticate with agents. Key: MESOS-9638 URL: https://issues.apache.org/jira/browse/MESOS-9638 Project: Mesos Issue Type: Improvement Components: agent, master Reporter: Alexander Rukletsov Currently Mesos agents do not verify that the messages they receive are coming from the leading master and haven't been tampered with. In untrusted environments this can be a source of security issues. There are a couple of ways to fix this: 1) implement Master authentication on the transport or application level for each {{agent}}<->{{master}} connection (this might not be sufficient to distinguish a master from the leading master) 2) implement Master authentication on the transport level (for the connection to be encrypted) upon agent registration and pass a secret to the master for all subsequent, possibly separate and unencrypted, connections (the secret can be leaked on an unencrypted connection). -- This message was sent by Atlassian JIRA (v7.6.3#76005)