You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Vinod Kone (JIRA)" <ji...@apache.org> on 2014/09/20 02:35:34 UTC
[jira] [Updated] (MESOS-1081) Master should not deactivate
authenticated framework/slave on new AuthenticateMessage unless new
authentication succeeds.
[ https://issues.apache.org/jira/browse/MESOS-1081?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vinod Kone updated MESOS-1081:
------------------------------
Sprint: Mesos Q3 Sprint 5
Assignee: Vinod Kone
Story Points: 1
> Master should not deactivate authenticated framework/slave on new AuthenticateMessage unless new authentication succeeds.
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: MESOS-1081
> URL: https://issues.apache.org/jira/browse/MESOS-1081
> Project: Mesos
> Issue Type: Bug
> Components: master
> Reporter: Adam B
> Assignee: Vinod Kone
> Labels: authentication, master, security
>
> Master should not deactivate an authenticated framework/slave upon receiving a new AuthenticateMessage unless new authentication succeeds. As it stands now, a malicious user could spoof the pid of an authenticated framework/slave and send an AuthenticateMessage to knock a valid framework/slave off the authenticated list, forcing the valid framework/slave to re-authenticate and re-register. This could be used in a DoS attack.
> But how should we handle the scenario when the actual authenticated framework/slave sends an AuthenticateMessage that fails authentication?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)