Details
-
Task
-
Status: Resolved
-
Blocker
-
Resolution: Fixed
-
None
-
Mesosphere Sprint 38
-
5
Description
Mesos allows zk credentials to be embedded in the zk url, but exposes these credentials in the /flags and /state endpoint. Even though /state is authorized, it only filters out frameworks/tasks, so the top-level flags are shown to any authenticated user.
"zk": "zk://dcos_mesos_master:my_secret_password@127.0.0.1:2181/mesos",
We need to find some way to hide this data, or even add a first-class VIEW_FLAGS acl that applies to any endpoint that exposes flags.
Attachments
Issue Links
- is related to
-
MESOS-5706 GET_ENDPOINT_WITH_PATH authz doesn't make sense for /flags
- Resolved