Currently, a number of endpoints are e.g., not authorized. While Mesos uses infrastructure provided by libprocess to authenticate requests to its endpoints, we do not always authorize all Mesos endpoints. Even worse, there seems to exists no libprocess to perform authorization, but we hook it manually into Mesos infrastructure for a number of endpoints,
Notably absent from that list is e.g., the _processes_ endpoint.
We should audit all endpoints currently exposed by Mesos master or agent process, or any process using libprocess. We should set them up in a way which allows operators to e.g., deny all requests by default.