You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@aurora.apache.org by "Stephan Erb (JIRA)" <ji...@apache.org> on 2017/01/18 09:29:26 UTC
[jira] [Resolved] (AURORA-343) HTTP thrift service is not over SSL
[ https://issues.apache.org/jira/browse/AURORA-343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephan Erb resolved AURORA-343.
--------------------------------
Resolution: Not A Problem
I am closing this for now as we have a documented mitigation. If anyone feels strongly, I am totally fine with re-opening the issue.
{code}
commit 6ad4c8728b8f024a04a16be52a53ba96cc185ca3
Author: Stephan Erb <se...@apache.org>
Date: Wed Jan 18 10:25:54 2017 +0100
Make announced scheduler endpoint name configurable.
We decided to co-deploy an HTTPS enabled reverse proxy in front of each of our
Aurora schedulers. The proxy instances bind to `public_ip:8081` and the
schedulers to `localhost:8081`. By announcing the scheduler endpoint as `https`
we can ensure the default Aurora [client connects via HTTPS](https://github.com/apache/aurora/blob/master/src/main/python/apache/aurora/client/api/scheduler_client.py#L176-L178).
Default:
[zk: 127.0.0.1:2181(CONNECTED) 5] get /aurora/scheduler/member_0000000011
{"serviceEndpoint":{"host":"aurora.local","port":8081},"additionalEndpoints":{"http":{"host":"aurora.local","port":8081}},"status":"ALIVE"}
When running with `-serverset_endpoint_name=https`:
[zk: 127.0.0.1:2181(CONNECTED) 0] get /aurora/scheduler/member_0000000019
{"serviceEndpoint":{"host":"aurora.local","port":8081},"additionalEndpoints":{"https":{"host":"aurora.local","port":8081}},"status":"ALIVE"}
Bugs closed: AURORA-343
Reviewed at https://reviews.apache.org/r/55583/
RELEASE-NOTES.md | 3 +++
docs/operations/security.md | 50 ++++++++++++++++++++++++++++++++++++--------------
docs/reference/scheduler-configuration.md | 6 ++++++
src/main/java/org/apache/aurora/scheduler/app/SchedulerMain.java | 6 +++++-
4 files changed, 50 insertions(+), 15 deletions(-)
{code}
> HTTP thrift service is not over SSL
> -----------------------------------
>
> Key: AURORA-343
> URL: https://issues.apache.org/jira/browse/AURORA-343
> Project: Aurora
> Issue Type: Bug
> Components: Scheduler
> Reporter: Bill Farner
> Assignee: Stephan Erb
> Priority: Minor
> Labels: newbie
>
> {{SchedulerAPIServlet}} is bound against the default debug HTTP server, which is non-encrypted. This leaves the door open to snooping.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)