mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dominic Hamon (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (MESOS-1081) Master should not deactivate authenticated framework/slave on new AuthenticateMessage unless new authentication succeeds.
Date Mon, 22 Sep 2014 18:11:29 GMT

     [ https://issues.apache.org/jira/browse/MESOS-1081?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Dominic Hamon updated MESOS-1081:
---------------------------------
    Sprint: Mesos Q3 Sprint 5, Mesos Q3 Sprint 6  (was: Mesos Q3 Sprint 5)

> Master should not deactivate authenticated framework/slave on new AuthenticateMessage
unless new authentication succeeds.
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MESOS-1081
>                 URL: https://issues.apache.org/jira/browse/MESOS-1081
>             Project: Mesos
>          Issue Type: Bug
>          Components: master
>            Reporter: Adam B
>            Assignee: Vinod Kone
>              Labels: authentication, master, security
>
> Master should not deactivate an authenticated framework/slave upon receiving a new AuthenticateMessage
unless new authentication succeeds. As it stands now, a malicious user could spoof the pid
of an authenticated framework/slave and send an AuthenticateMessage to knock a valid framework/slave
off the authenticated list, forcing the valid framework/slave to re-authenticate and re-register.
This could be used in a DoS attack.
> But how should we handle the scenario when the actual authenticated framework/slave sends
an AuthenticateMessage that fails authentication?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message