You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mesos.apache.org by "Niklas Quarfot Nielsen (JIRA)" <ji...@apache.org> on 2014/06/17 03:31:03 UTC
[jira] [Comment Edited] (MESOS-1486) Add authentication of masters
in slaves.
[ https://issues.apache.org/jira/browse/MESOS-1486?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14033297#comment-14033297 ]
Niklas Quarfot Nielsen edited comment on MESOS-1486 at 6/17/14 1:30 AM:
------------------------------------------------------------------------
With the slave authentication in place, it should be safe to provide a mechanism for the slave to authenticate the master using the same authenticator/authenticatee as in framework and slave authentication and piggy back on the registered message from the master to the slave.
The master would not leak its credentials to rogue slaves as it would authenticate first, and the slave will only (finally) accept the master if the registered message contains valid credentials (+ ACL in the longer run)
How does that sound?
was (Author: nnielsen):
With the slave authentication in place, it should be safe to provide a mechanism for the slave to authenticate the master using the same authenticator/authenticatee as in framework and slave authentication and piggy back on the registered message from the master to the slave.
How does that sound?
> Add authentication of masters in slaves.
> ----------------------------------------
>
> Key: MESOS-1486
> URL: https://issues.apache.org/jira/browse/MESOS-1486
> Project: Mesos
> Issue Type: Improvement
> Components: slave
> Reporter: Niklas Quarfot Nielsen
>
> Like masters can whitelist slaves (and only announce available resources from slaves whitelisted), slaves should be able to whitelist masters they are willing/allowed to connect to. I have a proof-of-concept ready which ties into the slave::detected() method and prevents non-whitelisted masters to register.
> If "*" is provided - whitelisting is not enforced (which would be the usual case).
--
This message was sent by Atlassian JIRA
(v6.2#6252)