You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mesos.apache.org by "Adam B (JIRA)" <ji...@apache.org> on 2014/03/11 22:49:42 UTC

[jira] [Created] (MESOS-1081) Master should not deactivate authenticated framework/slave on new AuthenticateMessage unless new authentication succeeds.

Adam B created MESOS-1081:
-----------------------------

             Summary: Master should not deactivate authenticated framework/slave on new AuthenticateMessage unless new authentication succeeds.
                 Key: MESOS-1081
                 URL: https://issues.apache.org/jira/browse/MESOS-1081
             Project: Mesos
          Issue Type: Bug
          Components: master
            Reporter: Adam B


Master should not deactivate an authenticated framework/slave upon receiving a new AuthenticateMessage unless new authentication succeeds. As it stands now, a malicious user could spoof the pid of an authenticated framework/slave and send an AuthenticateMessage to knock a valid framework/slave off the authenticated list, forcing the valid framework/slave to re-authenticate and re-register. This could be used in a DoS attack.
But how should we handle the scenario when the actual authenticated framework/slave sends an AuthenticateMessage that fails authentication?



--
This message was sent by Atlassian JIRA
(v6.2#6252)