You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Alexander Rukletsov (JIRA)" <ji...@apache.org> on 2016/05/18 21:24:13 UTC
[jira] [Comment Edited] (MESOS-5335) Add authorization to GET
/weights
[ https://issues.apache.org/jira/browse/MESOS-5335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15289853#comment-15289853 ]
Alexander Rukletsov edited comment on MESOS-5335 at 5/18/16 9:23 PM:
---------------------------------------------------------------------
This one should follow the same path we took in MESOS-5336. Once authorization filters land (MESOS-5403), we will be updating the implementation.
was (Author: alexr):
This one should follow the same path we take in MESOS-5336. Once authorization filters land (MESOS-5403), we will be updating the implementation.
> Add authorization to GET /weights
> ---------------------------------
>
> Key: MESOS-5335
> URL: https://issues.apache.org/jira/browse/MESOS-5335
> Project: Mesos
> Issue Type: Improvement
> Components: master, security
> Reporter: Adam B
> Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> We already authorize which http users can update weights for particular roles, but even knowing of the existence of these roles (let alone their weights) may be sensitive information. We should add authz around GET operations on /weights.
> Easy option: GET_ENDPOINT_WITH_PATH /weights
> - Pro: No new verb
> - Con: All or nothing
> Complex option: GET_WEIGHTS_WITH_ROLE
> - Pro: Filters contents based on roles the user is authorized to see
> - Con: More authorize calls (one per role in each /weights request)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)