Hey Bhuvan,
The "ShutdownFramework" ACL is an example of authN/authZ of HTTP endpoint
("/shutdown") from a user perspective. Depending on what HTTP endpoints you
are planning to auth we could conceivably add more ACLs or add a generic
HTTP endpoint ACL. Of course this still doesn't give you sessions, caching,
or encryption.
On Fri, Aug 22, 2014 at 5:36 PM, Bhuvan Arumugam <bhu...@apache.org> wrote:
> Hello,
>
> We use auth/authz implementation for frameworks and slaves. They are
> neat! This thread is about auth for web ui, between master and user.
>
> We are implementing authentication for master web ui (port: 5050). The
> master seem to serve both user requests and protobuf messages from
> slave & frameworks on same port. Right? We want to authenticate user
> requests only. Is there a way to differentiate these messages?
>
> Based on how these messages can be differentiated, we are thinking to
> run mesos master behind a proxy, apache or apache traffic server,
> primarily for 2 reasons:
> 1. authentication. The auth could be implemented through apache
> module or ATS plugin.
> 2. security. serve user requests through https.
>
> If we use ATS, it may also solve caching problem; but we aren't
> solving this problem right now.
>
> Making changes to mesos to address these concern doesn't look neat.
> Mesos seem to return complete json blob and all magic is done at the
> client side, in angularjs. Mesos master isn't a full fletched http
> server. It's not meant to keep track of user session; dealing with
> http cookies/headers/redirection are non-trivial.
>
> Anyone running mesos master behind proxy, or solved same problem
> differently?
>
> --
> Regards,
> Bhuvan Arumugam
> www.livecipher.com
>
