Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-7203

Add a '--require_http_authentication' flag

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments



      The current HTTP authentication implementation in Mesos makes it difficult to properly authorize some operations when authentication is not enabled. The UNRESERVE and DESTROY operations use a principal field stored in ReservationInfo/DiskInfo for authorization. This means that in order to authorize properly, the principal responsible for the reservation/volume must be available when the RESERVE/CREATE operation is performed. However, if HTTP authentication is not enabled, then operators are not able to provide a principal.

      In order to resolve this issue, a new --require_http_authentication field could be added. This flag would complement the --http_authenticators flag. The new behavior would be as follows:

      • If --http_authenticators is set but --require_http_authentication is not set, the authenticators would be loaded as specified, but unauthenticated requests would be permitted. In the case of an HTTP request containing an Authorization header, the header would be used to construct a Principal to be passed to the handlers.
      • If --http_authenticators is set and --require_http_authentication is also set, the Principal would be extracted and passed to handlers as before, but all requests without an authenticated principal would be rejected.



          This comment will be Viewable by All Users Viewable by All Users


            Unassigned Unassigned
            greggomann Greg Mann




                Issue deployment