You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Gavin (JIRA)" <ji...@apache.org> on 2019/04/29 09:27:31 UTC

[jira] [Issue Comment Deleted] (MESOS-7203) Add a '--require_http_authentication' flag

     [ https://issues.apache.org/jira/browse/MESOS-7203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gavin updated MESOS-7203:
-------------------------
    Comment: was deleted

(was: www.rtat.net)

> Add a '--require_http_authentication' flag
> ------------------------------------------
>
>                 Key: MESOS-7203
>                 URL: https://issues.apache.org/jira/browse/MESOS-7203
>             Project: Mesos
>          Issue Type: Improvement
>          Components: security
>            Reporter: Greg Mann
>            Priority: Major
>              Labels: authentication, http, mesosphere
>
> The current HTTP authentication implementation in Mesos makes it difficult to properly authorize some operations when authentication is not enabled. The {{UNRESERVE}} and {{DESTROY}} operations use a {{principal}} field stored in {{ReservationInfo}}/{{DiskInfo}} for authorization. This means that in order to authorize properly, the principal responsible for the reservation/volume must be available when the {{RESERVE}}/{{CREATE}} operation is performed. However, if HTTP authentication is not enabled, then operators are not able to provide a principal.
> In order to resolve this issue, a new {{\-\-require_http_authentication}} field could be added. This flag would complement the {{\-\-http_authenticators}} flag. The new behavior would be as follows:
> * If {{\-\-http_authenticators}} is set but {{\-\-require_http_authentication}} is not set, the authenticators would be loaded as specified, but unauthenticated requests would be permitted. In the case of an HTTP request containing an {{Authorization}} header, the header would be used to construct a {{Principal}} to be passed to the handlers.
> * If {{\-\-http_authenticators}} is set and {{\-\-require_http_authentication}} is also set, the {{Principal}} would be extracted and passed to handlers as before, but all requests without an authenticated principal would be rejected.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)