You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Vinod Kone (JIRA)" <ji...@apache.org> on 2014/09/20 02:35:34 UTC

[jira] [Commented] (MESOS-1081) Master should not deactivate authenticated framework/slave on new AuthenticateMessage unless new authentication succeeds.

    [ https://issues.apache.org/jira/browse/MESOS-1081?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14141612#comment-14141612 ] 

Vinod Kone commented on MESOS-1081:
-----------------------------------

https://reviews.apache.org/r/25866/

> Master should not deactivate authenticated framework/slave on new AuthenticateMessage unless new authentication succeeds.
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MESOS-1081
>                 URL: https://issues.apache.org/jira/browse/MESOS-1081
>             Project: Mesos
>          Issue Type: Bug
>          Components: master
>            Reporter: Adam B
>              Labels: authentication, master, security
>
> Master should not deactivate an authenticated framework/slave upon receiving a new AuthenticateMessage unless new authentication succeeds. As it stands now, a malicious user could spoof the pid of an authenticated framework/slave and send an AuthenticateMessage to knock a valid framework/slave off the authenticated list, forcing the valid framework/slave to re-authenticate and re-register. This could be used in a DoS attack.
> But how should we handle the scenario when the actual authenticated framework/slave sends an AuthenticateMessage that fails authentication?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)