mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam B (JIRA)" <>
Subject [jira] [Created] (MESOS-5705) ZK credential is exposed in /flags and /state
Date Fri, 24 Jun 2016 12:06:16 GMT
Adam B created MESOS-5705:

             Summary: ZK credential is exposed in /flags and /state
                 Key: MESOS-5705
             Project: Mesos
          Issue Type: Task
          Components: master, security
            Reporter: Adam B
             Fix For: 1.0.0

Mesos allows zk credentials to be embedded in the zk url, but exposes these credentials in
the /flags and /state endpoint. Even though /state is authorized, it only filters out frameworks/tasks,
so the top-level flags are shown to any authenticated user.

"zk": "zk://dcos_mesos_master:my_secret_password@",

We need to find some way to hide this data, or even add a first-class VIEW_FLAGS acl that
applies to any endpoint that exposes flags.

This message was sent by Atlassian JIRA

View raw message