You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@aurora.apache.org by "Stephan Erb (JIRA)" <ji...@apache.org> on 2017/01/18 09:29:26 UTC

[jira] [Resolved] (AURORA-343) HTTP thrift service is not over SSL

     [ https://issues.apache.org/jira/browse/AURORA-343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stephan Erb resolved AURORA-343.
--------------------------------
    Resolution: Not A Problem

I am closing this for now as we have a documented mitigation. If anyone feels strongly, I am totally fine with re-opening the issue.

{code}
commit 6ad4c8728b8f024a04a16be52a53ba96cc185ca3
Author: Stephan Erb <se...@apache.org>
Date:   Wed Jan 18 10:25:54 2017 +0100

    Make announced scheduler endpoint name configurable.

    We decided to co-deploy an HTTPS enabled reverse proxy in front of each of our
    Aurora schedulers. The proxy instances bind to `public_ip:8081` and the
    schedulers to `localhost:8081`. By announcing the scheduler endpoint as `https`
    we can ensure the default Aurora [client connects via HTTPS](https://github.com/apache/aurora/blob/master/src/main/python/apache/aurora/client/api/scheduler_client.py#L176-L178).

    Default:

        [zk: 127.0.0.1:2181(CONNECTED) 5] get /aurora/scheduler/member_0000000011
        {"serviceEndpoint":{"host":"aurora.local","port":8081},"additionalEndpoints":{"http":{"host":"aurora.local","port":8081}},"status":"ALIVE"}

    When running with `-serverset_endpoint_name=https`:

        [zk: 127.0.0.1:2181(CONNECTED) 0] get /aurora/scheduler/member_0000000019
        {"serviceEndpoint":{"host":"aurora.local","port":8081},"additionalEndpoints":{"https":{"host":"aurora.local","port":8081}},"status":"ALIVE"}

    Bugs closed: AURORA-343

    Reviewed at https://reviews.apache.org/r/55583/

 RELEASE-NOTES.md                                                 |  3 +++
 docs/operations/security.md                                      | 50 ++++++++++++++++++++++++++++++++++++--------------
 docs/reference/scheduler-configuration.md                        |  6 ++++++
 src/main/java/org/apache/aurora/scheduler/app/SchedulerMain.java |  6 +++++-
 4 files changed, 50 insertions(+), 15 deletions(-)
{code}

> HTTP thrift service is not over SSL
> -----------------------------------
>
>                 Key: AURORA-343
>                 URL: https://issues.apache.org/jira/browse/AURORA-343
>             Project: Aurora
>          Issue Type: Bug
>          Components: Scheduler
>            Reporter: Bill Farner
>            Assignee: Stephan Erb
>            Priority: Minor
>              Labels: newbie
>
> {{SchedulerAPIServlet}} is bound against the default debug HTTP server, which is non-encrypted.  This leaves the door open to snooping.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)