mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam B (JIRA)" <j...@apache.org>
Subject [jira] [Created] (MESOS-5705) ZK credential is exposed in /flags and /state
Date Fri, 24 Jun 2016 12:06:16 GMT
Adam B created MESOS-5705:
-----------------------------

             Summary: ZK credential is exposed in /flags and /state
                 Key: MESOS-5705
                 URL: https://issues.apache.org/jira/browse/MESOS-5705
             Project: Mesos
          Issue Type: Task
          Components: master, security
            Reporter: Adam B
             Fix For: 1.0.0


Mesos allows zk credentials to be embedded in the zk url, but exposes these credentials in
the /flags and /state endpoint. Even though /state is authorized, it only filters out frameworks/tasks,
so the top-level flags are shown to any authenticated user.

"zk": "zk://dcos_mesos_master:my_secret_password@127.0.0.1:2181/mesos",

We need to find some way to hide this data, or even add a first-class VIEW_FLAGS acl that
applies to any endpoint that exposes flags.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message