----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/49196/ -----------------------------------------------------------
Review request for mesos, Adam B, Jan Schlicht, and Till Toenshoff. Repository: mesos Description ------- The `/flags` endpoints in both, agent and master uses authorization, however their contents are accesible to third parties by polling the `/state` endpoint on both. This patch disabled authorization for the given endpoint until a better solution which covers all cases is found. Diffs ----- src/master/http.cpp 837fba661a82d07e95bc2de6d08158002147131a src/slave/http.cpp c038bf0c9680ec86f77f1a27efeb7354a9e67627 src/tests/master_authorization_tests.cpp 9ae6b9dc89538716d397ffd8826187e2bc6d7e8f src/tests/slave_authorization_tests.cpp 18bcb0e499a9d2d84113b5b9e609e5e40913ebcc Diff: https://reviews.apache.org/r/49196/diff/ Testing ------- `make check`, manual testing using a browser and the following script: ```sh #! /usr/bin/env bash rm -rf /tmp/mesos/* cat <<EOF > /tmp/credentials.txt foo bar baz bar EOF cat <<EOF > /tmp/acls.json { "permissive": false, "get_endpoints" : [ { "principals" : { "values" : ["foo"] }, "paths" : { "type" : "ANY" } } ] } EOF ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \ --authenticate_http \ --log_dir=/tmp/mesos/logs/master \ --http_credentials=file:///tmp/credentials.txt \ --acls=file:///tmp/acls.json & ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \ --master=127.0.0.1:5050 \ --authenticate_http \ --http_credentials=file:///tmp/credentials.txt \ --acls=file:///tmp/acls.json & # This should return the flags, foo is authorized # to check all endpoints. http GET http://127.0.0.1:5051/flags -a foo:bar # This should return the flags, the endpoint doesn't # requires authorization. http GET http://127.0.0.1:5051/flags -a baz:bar # This should return 401 Unauthorized, the user bar # is not known. http GET http://127.0.0.1:5051/flags -a bar:bar ``` Thanks, Alexander Rojas
