You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Vinod Kone (JIRA)" <ji...@apache.org> on 2014/09/20 02:35:34 UTC

[jira] [Updated] (MESOS-1081) Master should not deactivate authenticated framework/slave on new AuthenticateMessage unless new authentication succeeds.

     [ https://issues.apache.org/jira/browse/MESOS-1081?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vinod Kone updated MESOS-1081:
------------------------------
          Sprint: Mesos Q3 Sprint 5
        Assignee: Vinod Kone
    Story Points: 1

> Master should not deactivate authenticated framework/slave on new AuthenticateMessage unless new authentication succeeds.
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: MESOS-1081
>                 URL: https://issues.apache.org/jira/browse/MESOS-1081
>             Project: Mesos
>          Issue Type: Bug
>          Components: master
>            Reporter: Adam B
>            Assignee: Vinod Kone
>              Labels: authentication, master, security
>
> Master should not deactivate an authenticated framework/slave upon receiving a new AuthenticateMessage unless new authentication succeeds. As it stands now, a malicious user could spoof the pid of an authenticated framework/slave and send an AuthenticateMessage to knock a valid framework/slave off the authenticated list, forcing the valid framework/slave to re-authenticate and re-register. This could be used in a DoS attack.
> But how should we handle the scenario when the actual authenticated framework/slave sends an AuthenticateMessage that fails authentication?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)