You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Dong Zhu (Jira)" <ji...@apache.org> on 2020/06/05 05:56:00 UTC
[jira] [Commented] (MESOS-9006) The agent's GET_AGENT leaks
resource information when using authorization
[ https://issues.apache.org/jira/browse/MESOS-9006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17126413#comment-17126413 ]
Dong Zhu commented on MESOS-9006:
---------------------------------
[~bbannier] Here is the output while executing the `GET_AGENT` call from agent with authorized enablement:
{code:java}
{
"type": "GET_AGENT",
"get_agent": {
"agent_info": {
"hostname": "172.16.9.188",
"port": 5051,
"resources": [
{
"name": "cpus",
"type": "SCALAR",
"scalar": {
"value": 2.0
}
},
{
"name": "mem",
"type": "SCALAR",
"scalar": {
"value": 2763.0
}
},
{
"name": "disk",
"type": "SCALAR",
"scalar": {
"value": 46068.0
}
},
{
"name": "ports",
"type": "RANGES",
"ranges": {
"range": [
{
"begin": 31000,
"end": 32000
}
]
}
}
],
"id": {
"value": "4aa947e1-0815-458b-9277-c7fef46369ee-S0"
}
}
}
}
{code}
What kind of resource does it leak ? I don't see sensitive data there.
> The agent's GET_AGENT leaks resource information when using authorization
> -------------------------------------------------------------------------
>
> Key: MESOS-9006
> URL: https://issues.apache.org/jira/browse/MESOS-9006
> Project: Mesos
> Issue Type: Bug
> Reporter: Benjamin Bannier
> Priority: Critical
> Labels: agent, integration, security
>
> While the master's {{GET_AGENTS}} call e.g., filters resources (by using an approver with {{VIEW_ROLE}}) so that it does not leak resources the querying principal should not be able to see, no such filtering is done in the corresponding agent's {{GET_AGENT}} call.
> This call should be authorized as well to not expose information we expect to be not visible.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)