Hey Bhuvan, The "ShutdownFramework" ACL is an example of authN/authZ of HTTP endpoint ("/shutdown") from a user perspective. Depending on what HTTP endpoints you are planning to auth we could conceivably add more ACLs or add a generic HTTP endpoint ACL. Of course this still doesn't give you sessions, caching, or encryption.
On Fri, Aug 22, 2014 at 5:36 PM, Bhuvan Arumugam <bhu...@apache.org> wrote: > Hello, > > We use auth/authz implementation for frameworks and slaves. They are > neat! This thread is about auth for web ui, between master and user. > > We are implementing authentication for master web ui (port: 5050). The > master seem to serve both user requests and protobuf messages from > slave & frameworks on same port. Right? We want to authenticate user > requests only. Is there a way to differentiate these messages? > > Based on how these messages can be differentiated, we are thinking to > run mesos master behind a proxy, apache or apache traffic server, > primarily for 2 reasons: > 1. authentication. The auth could be implemented through apache > module or ATS plugin. > 2. security. serve user requests through https. > > If we use ATS, it may also solve caching problem; but we aren't > solving this problem right now. > > Making changes to mesos to address these concern doesn't look neat. > Mesos seem to return complete json blob and all magic is done at the > client side, in angularjs. Mesos master isn't a full fletched http > server. It's not meant to keep track of user session; dealing with > http cookies/headers/redirection are non-trivial. > > Anyone running mesos master behind proxy, or solved same problem > differently? > > -- > Regards, > Bhuvan Arumugam > www.livecipher.com >