mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam B (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MESOS-5335) Add authorization to GET /weights
Date Fri, 06 May 2016 09:55:13 GMT

    [ https://issues.apache.org/jira/browse/MESOS-5335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15273855#comment-15273855
] 

Adam B commented on MESOS-5335:
-------------------------------

cc: [~gradywang]

> Add authorization to GET /weights
> ---------------------------------
>
>                 Key: MESOS-5335
>                 URL: https://issues.apache.org/jira/browse/MESOS-5335
>             Project: Mesos
>          Issue Type: Improvement
>          Components: master, security
>            Reporter: Adam B
>              Labels: mesosphere, security
>             Fix For: 0.29.0
>
>
> We already authorize which http users can update weights for particular roles, but even
knowing of the existence of these roles (let alone their weights) may be sensitive information.
We should add authz around GET operations on /weights.
> Easy option: GET_ENDPOINT_WITH_PATH /weights
> - Pro: No new verb
> - Con: All or nothing
> Complex option: GET_WEIGHTS_WITH_ROLE
> - Pro: Filters contents based on roles the user is authorized to see
> - Con: More authorize calls (one per role in each /weights request)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message