[MESOS-5705] ZK credential is exposed in /flags and /state - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.0.0
Component/s: master, security
Labels:
- mesosphere
- security

Epic Link:
Authorize operator endpoints
Sprint:
Mesosphere Sprint 38
Story Points:
5

Description

Mesos allows zk credentials to be embedded in the zk url, but exposes these credentials in the /flags and /state endpoint. Even though /state is authorized, it only filters out frameworks/tasks, so the top-level flags are shown to any authenticated user.

"zk": "zk://dcos_mesos_master:my_secret_password@127.0.0.1:2181/mesos",

We need to find some way to hide this data, or even add a first-class VIEW_FLAGS acl that applies to any endpoint that exposes flags.

Attachments

Issue Links

Add Link

is related to

MESOS-5706 GET_ENDPOINT_WITH_PATH authz doesn't make sense for /flags

Resolved

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Alexander Rojas

Reporter:: Adam B

Shepherd:: Vinod Kone

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 24/Jun/16 15:05

Updated:: 29/Apr/19 12:26

Resolved:: 30/Jun/16 23:23

Agile

Completed Sprint:: Mesosphere Sprint 38 ended 08/Jul/16

View on Board

ZK credential is exposed in /flags and /state

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Agile

Slack

Issue deployment