Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5705

ZK credential is exposed in /flags and /state

    XMLWordPrintableJSON

    Details

      Description

      Mesos allows zk credentials to be embedded in the zk url, but exposes these credentials in the /flags and /state endpoint. Even though /state is authorized, it only filters out frameworks/tasks, so the top-level flags are shown to any authenticated user.

      "zk": "zk://dcos_mesos_master:my_secret_password@127.0.0.1:2181/mesos",

      We need to find some way to hide this data, or even add a first-class VIEW_FLAGS acl that applies to any endpoint that exposes flags.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                arojas Alexander Rojas
                Reporter:
                adam-mesos Adam B
                Shepherd:
                Vinod Kone
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: