You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Greg Mann (JIRA)" <ji...@apache.org> on 2017/03/03 01:38:45 UTC

[jira] [Created] (MESOS-7203) Add a '--require_http_authentication' flag

Greg Mann created MESOS-7203:
--------------------------------

             Summary: Add a '--require_http_authentication' flag
                 Key: MESOS-7203
                 URL: https://issues.apache.org/jira/browse/MESOS-7203
             Project: Mesos
          Issue Type: Improvement
          Components: security
            Reporter: Greg Mann


The current HTTP authentication implementation in Mesos makes it difficult to properly authorize some operations when authentication is not enabled. The {{UNRESERVE}} and {{DESTROY}} operations use a {{principal}} field stored in {{ReservationInfo}}/{{DiskInfo}} for authorization. This means that in order to authorize properly, the principal responsible for the reservation/volume must be available when the {{RESERVE}}/{{CREATE}} operation is performed. However, if HTTP authentication is not enabled, then operators are not able to provide a principal.

In order to resolve this issue, a new {{--require_http_authentication}} field could be added. This flag would complement the {{--http_authenticators}} flag. The new behavior would be as follows:
* If {{--http_authenticators}} is set but {{--require_http_authentication}} is not set, the authenticators would be loaded as specified, but unauthenticated requests would be permitted. In the case of an HTTP request containing an {{Authorization}} header, the header would be used to construct a {{Principal}} to be passed to the handlers.
* If {{--http_authenticators}} is set and {{--require_http_authentication}} is also set, the {{Principal}} would be extracted and passed to handlers as before, but all requests without an authenticated principal would be rejected.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)