mesos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bhuvan Arumugam <>
Subject Re: Differentiate user requests & protobuf messages
Date Mon, 25 Aug 2014 18:26:33 GMT
We want t

On Mon, Aug 25, 2014 at 10:40 AM, Vinod Kone <> wrote:
> Hey Bhuvan,
> The "ShutdownFramework" ACL is an example of authN/authZ of HTTP endpoint
> ("/shutdown") from a user perspective. Depending on what HTTP endpoints you
> are planning to auth we could conceivably add more ACLs or add a generic
> HTTP endpoint ACL. Of course this still doesn't give you sessions, caching,
> or encryption.

Vinod, we want to authenticate all web requests, all read-only.
Irrespective of the link/tabs we click {/slaves, /frameworks,
/offers}, server always return this json /master/state.json. The
angularjs does the filtering, based on the user action.

Based on what you say, looks like there are more HTTP endpoints (rw)
exposed to slaves and frameworks, like /shutdown. We don't want to
implement auth for these endpoints, atm.

That said, i think, we should authenticate /master/state.json only.
Can I assume, this can be implemented in Master::Http::state method,
using process::http::Request and process::http::Response? Or, does
slave/framework use /master/state.json endpoint? Any changes to this
method will not affect protobuf message exchange between master and
slave/framework, I think. Correct me if i'm wrong.

> On Fri, Aug 22, 2014 at 5:36 PM, Bhuvan Arumugam <> wrote:
>> Hello,
>> We use auth/authz implementation for frameworks and slaves. They are
>> neat! This thread is about auth for web ui, between master and user.
>> We are implementing authentication for master web ui (port: 5050). The
>> master seem to serve both user requests and protobuf messages from
>> slave & frameworks on same port. Right? We want to authenticate user
>> requests only. Is there a way to differentiate these messages?
>> Based on how these messages can be differentiated, we are thinking to
>> run mesos master behind a proxy, apache or apache traffic server,
>> primarily for 2 reasons:
>>   1. authentication. The auth could be implemented through apache
>> module or ATS plugin.
>>   2. security. serve user requests through https.
>> If we use ATS, it may also solve caching problem; but we aren't
>> solving this problem right now.
>> Making changes to mesos to address these concern doesn't look neat.
>> Mesos seem to return complete json blob and all magic is done at the
>> client side, in angularjs. Mesos master isn't a full fletched http
>> server. It's not meant to keep track of user session; dealing with
>> http cookies/headers/redirection are non-trivial.
>> Anyone running mesos master behind proxy, or solved same problem
>> differently?
>> --
>> Regards,
>> Bhuvan Arumugam

Bhuvan Arumugam

View raw message