[jira] [Issue Comment Deleted] (MESOS-8014) Provide HTTP authenticatee interface re/usable for the scheduler library.

["Gavin (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/MESOS-8014?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gavin updated MESOS-8014:
-------------------------
    Comment: was deleted

(was: www.rtat.net)

> Provide HTTP authenticatee interface re/usable for the scheduler library.
> -------------------------------------------------------------------------
>
>                 Key: MESOS-8014
>                 URL: https://issues.apache.org/jira/browse/MESOS-8014
>             Project: Mesos
>          Issue Type: Epic
>          Components: HTTP API, modules, scheduler api, security
>            Reporter: Till Toenshoff
>            Assignee: Till Toenshoff
>            Priority: Major
>              Labels: http, modularization, scheduler, security
>
> h4. Motivation
> Authentication and authorization have been added to most Mesos APIs at this point. Schedulers making use of the Mesos HTTP scheduler library however, currently only support a hard wired basic HTTP authentication.
> To secure the master’s HTTP scheduler API, the {{/api/v1/scheduler}} endpoint must be authenticated. Without authentication, a malicious or buggy actor from within or outside the cluster could send requests to these master endpoints, potentially disrupting running schedulers or tasks, injecting harmful tasks, or exposing privileged information.
> h4. Goals
> - Support custom authentication of schedulers based on the Mesos V1 HTTP scheduler API library [/src/scheduler/scheduler.cpp|https://github.com/apache/mesos/blob/8198579fea7e433e202bd33f4ea62eb235859365/src/scheduler/scheduler.cpp].
> - Require minimal operator configuration when enabling scheduler authentication for a simple default use case.
> - Provide a thin, reusable layer of abstraction enabling any HTTP API consumer to authenticate.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)