Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-9006

The agent's GET_AGENT leaks resource information when using authorization

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Story Points:
      3

      Description

      While the master's GET_AGENTS call e.g., filters resources (by using an approver with VIEW_ROLE) so that it does not leak resources the querying principal should not be able to see, no such filtering is done in the corresponding agent's GET_AGENT call.

      This call should be authorized as well to not expose information we expect to be not visible.

        Attachments

        Issue Links

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              bbannier Benjamin Bannier

              Dates

              • Created:
                Updated:

                Issue deployment