Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5706

GET_ENDPOINT_WITH_PATH authz doesn't make sense for /flags

    XMLWordPrintableJSON

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.0.0
    • Component/s: security

      Description

      The master or agent flags are exposed in /state as well as /flags, so any user who wants to disable/control access to the flags likely intends to control access to flags no matter what endpoint exposes them. As such, /flags is a poor candidate for GET_ENDPOINT_WITH_PATH authz, since we care more about protecting the flag data than the specific endpoint path.
      We should remove the GET_ENDPOINT authz from master and agent /flags until we can come up with a better solution, perhaps a first-class VIEW_FLAGS acl.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                arojas Alexander Rojas
                Reporter:
                adam-mesos Adam B
                Shepherd:
                Adam B
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: