[MESOS-5705] ZK credential is exposed in /flags and /state - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.0.0
Component/s: master, security
Labels:
- mesosphere
- security

Epic Link:
Authorize operator endpoints
Sprint:
Mesosphere Sprint 38
Story Points:
5

Description

Mesos allows zk credentials to be embedded in the zk url, but exposes these credentials in the /flags and /state endpoint. Even though /state is authorized, it only filters out frameworks/tasks, so the top-level flags are shown to any authenticated user.

"zk": "zk://dcos_mesos_master:my_secret_password@127.0.0.1:2181/mesos",

We need to find some way to hide this data, or even add a first-class VIEW_FLAGS acl that applies to any endpoint that exposes flags.

Attachments

Issue Links

is related to

MESOS-5706 GET_ENDPOINT_WITH_PATH authz doesn't make sense for /flags

Resolved

Activity

People

Assignee:: Alexander Rojas

Reporter:: Adam B

Shepherd:: Vinod Kone

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 24/Jun/16 12:05

Updated:: 29/Apr/19 09:26

Resolved:: 30/Jun/16 20:23