Return-Path: <issues-return-29915-archive-asf-public=cust-asf.ponee.io@mesos.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id DE6AB200AE4
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri, 24 Jun 2016 14:06:17 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id DD1C2160A5A; Fri, 24 Jun 2016 12:06:17 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 29CE3160A38
	for <archive-asf-public@cust-asf.ponee.io>; Fri, 24 Jun 2016 14:06:17 +0200 (CEST)
Received: (qmail 87545 invoked by uid 500); 24 Jun 2016 12:06:16 -0000
Mailing-List: contact issues-help@mesos.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@mesos.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@mesos.apache.org>
List-Post: <mailto:issues@mesos.apache.org>
List-Id: <issues.mesos.apache.org>
Reply-To: dev@mesos.apache.org
Delivered-To: mailing list issues@mesos.apache.org
Received: (qmail 87536 invoked by uid 99); 24 Jun 2016 12:06:16 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 24 Jun 2016 12:06:16 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 33FD32C033A
	for <issues@mesos.apache.org>; Fri, 24 Jun 2016 12:06:16 +0000 (UTC)
Date: Fri, 24 Jun 2016 12:06:16 +0000 (UTC)
From: "Adam B (JIRA)" <jira@apache.org>
To: issues@mesos.apache.org
Message-ID: <JIRA.12982661.1466769942000.21448.1466769976097@Atlassian.JIRA>
In-Reply-To: <JIRA.12982661.1466769942000@Atlassian.JIRA>
References: <JIRA.12982661.1466769942000@Atlassian.JIRA> <JIRA.12982661.1466769942147@arcas>
Subject: [jira] [Created] (MESOS-5705) ZK credential is exposed in /flags
 and /state
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Fri, 24 Jun 2016 12:06:18 -0000

Adam B created MESOS-5705:
-----------------------------

             Summary: ZK credential is exposed in /flags and /state
                 Key: MESOS-5705
                 URL: https://issues.apache.org/jira/browse/MESOS-5705
             Project: Mesos
          Issue Type: Task
          Components: master, security
            Reporter: Adam B
             Fix For: 1.0.0


Mesos allows zk credentials to be embedded in the zk url, but exposes these credentials in the /flags and /state endpoint. Even though /state is authorized, it only filters out frameworks/tasks, so the top-level flags are shown to any authenticated user.

"zk": "zk://dcos_mesos_master:my_secret_password@127.0.0.1:2181/mesos",

We need to find some way to hide this data, or even add a first-class VIEW_FLAGS acl that applies to any endpoint that exposes flags.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)