Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5851

Create mechanism to control authentication between different HTTP endpoints

    XMLWordPrintableJSON

    Details

      Description

      All endpoints authentication is controlled by one single flag. We need this flag to be on so that `/reserve` `/unreserve` can get a principal.

      However, after 1.0, we cannot access important readonly endpoints `/master/state/` and `/metric/snapshot/` anymore w/o a password. The latter is detrimental on usability because many users don't have the supporting infra to distribute such metrics into every metrics collecting process yet.

      I'm looking towards a mechanism to at least allow unauthenticated access to selective whitelisted endpoints while keep endpoints requiring AuthN/AuthZ still protected.

      quoting Joseph Wu, "we want a `--authenticate_http=true, but don't check` option"

      Proposed endpoint to realm grouping by Zhitao Li

      /////////////
      // Common realms shared by both master and agent
      ​////////////

      FLAGS

      • /flags

        FILES
      • /files/browse
      • /files/browse.json
      • /files/debug
      • /files/debug.json
      • /files/download
      • /files/download.json
      • /files/read
      • /files/read.json

        LOGGING
      • /logging/toggle

        METRICS
      • /metrics/snapshot

        PROFILER
      • /profiler/start
      • /profiler/stop

        SYSTEMS
      • /system/stats.json

        VERSIONS
      • /version

        /////////////////
        // Additional master only realms
        ​////////////////

      MAINTENANCE

      • /machine/down
      • /machine/up
      • /maintenance/schedule
      • /maintenance/status

        OPERATORS
      • /api/v1

        SCHEDULERS
      • /api/v1/scheduler

        REGISTRARS
      • /registrar(id)/registry

        RESERVATIONS
      • /reserve
      • /unreserve
      • /quota
      • /weights

        TEARDOWN
      • /teardown

        VIEWS
      • /frameworks
      • /roles
      • /roles.json
      • /slaves
      • /state
      • /state-summary
      • /state.json
      • /tasks
      • /tasks.json

        VOLUMES
      • /create-volumes
      • /destroy-volumes

        UNAUTHENTICATED
      • /health
      • /redirect

        ////////////////
        // Additional agent realms
        ////////////////

        OPERATORS
      • /api/v1

        VIEWS
      • /containers
      • /monitor/statistics
      • /monitor/statistics.json
      • /state
      • /state.json

        UNAUTHENTICATED
      • /api/v1/executor
      • /health

        Attachments

          Activity

            People

            • Assignee:
              zhitao Zhitao Li
              Reporter:
              zhitao Zhitao Li
              Shepherd:
              Adam B
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: