[jira] [Commented] (MESOS-5851) Create mechanism to control authentication between different HTTP endpoints

["Greg Mann (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/MESOS-5851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15380320#comment-15380320 ] 

Greg Mann commented on MESOS-5851:
----------------------------------

I think that adding an "HTTP authentication exclusion list" might actually be fairly straightforward. Since all HTTP authentication is performed in libprocess in {{ProcessBase::visit}}, we could easily check a requested path against the exclusion list there. If the path is excluded, we would pass {{None()}} along to the endpoint handler as the principal. This makes sense in the context of the current implementation, since libprocess currently passes {{None()}} for the principal iff HTTP authentication is disabled.

> Create mechanism to control authentication between different HTTP endpoints
> ---------------------------------------------------------------------------
>
>                 Key: MESOS-5851
>                 URL: https://issues.apache.org/jira/browse/MESOS-5851
>             Project: Mesos
>          Issue Type: Bug
>            Reporter: Zhitao Li
>
> All endpoints authentication is controlled by one single flag. We need this flag to be on so that `/reserve` `/unreserve` can get a principal.
> However, after 1.0, we cannot access important readonly endpoints `/master/state/` and `/metric/snapshot/` anymore w/o a password. The latter is detrimental on usability because many users don't have the supporting infra to distribute such metrics into every metrics collecting process yet.
> I'm looking towards a mechanism to at least allow unauthenticated access to selective whitelisted endpoints while keep endpoints requiring AuthN/AuthZ still protected.
> quoting Joseph Wu, "we want a `--authenticate_http=true, but don't check` option"



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)