Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5706

GET_ENDPOINT_WITH_PATH authz doesn't make sense for /flags

    XMLWordPrintableJSON

Details

    • Task
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.0.0
    • security

    Description

      The master or agent flags are exposed in /state as well as /flags, so any user who wants to disable/control access to the flags likely intends to control access to flags no matter what endpoint exposes them. As such, /flags is a poor candidate for GET_ENDPOINT_WITH_PATH authz, since we care more about protecting the flag data than the specific endpoint path.
      We should remove the GET_ENDPOINT authz from master and agent /flags until we can come up with a better solution, perhaps a first-class VIEW_FLAGS acl.

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MESOS-5705 ZK credential is exposed in /flags and /state

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved

          Activity

            People

              arojas Alexander Rojas
              adam-mesos Adam B
              Adam B Adam B
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: