[MESOS-7203] Add a '--require_http_authentication' flag - ASF JIRA

Attach files

Attach Screenshot

Add vote

Voters

Watch issue

Watchers

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: security
Labels:

Description

The current HTTP authentication implementation in Mesos makes it difficult to properly authorize some operations when authentication is not enabled. The UNRESERVE and DESTROY operations use a principal field stored in ReservationInfo/DiskInfo for authorization. This means that in order to authorize properly, the principal responsible for the reservation/volume must be available when the RESERVE/CREATE operation is performed. However, if HTTP authentication is not enabled, then operators are not able to provide a principal.

In order to resolve this issue, a new --require_http_authentication field could be added. This flag would complement the --http_authenticators flag. The new behavior would be as follows:

If --http_authenticators is set but --require_http_authentication is not set, the authenticators would be loaded as specified, but unauthenticated requests would be permitted. In the case of an HTTP request containing an Authorization header, the header would be used to construct a Principal to be passed to the handlers.
If --http_authenticators is set and --require_http_authentication is also set, the Principal would be extracted and passed to handlers as before, but all requests without an authenticated principal would be rejected.