See my answers inline.
> Based on what you say, looks like there are more HTTP endpoints (rw) > exposed to slaves and frameworks, like /shutdown. We don't want to > implement auth for these endpoints, atm. > Yes. There are more user visible endpoints. See "master:port/help" for the list of endpoints. That said, i think, we should authenticate /master/state.json only. > Can I assume, this can be implemented in Master::Http::state method, > using process::http::Request and process::http::Response? Or, does > slave/framework use /master/state.json endpoint? Any changes to this > method will not affect protobuf message exchange between master and > slave/framework, I think. Correct me if i'm wrong. > For authorizing static http endpoints, we could resurrect some code that didn't make it into 0.20.0. See the diff here ( https://github.com/apache/mesos/commit/a5cc9b435aad080a79230f0366a6ce77116c95a4) and let me know if that is what you are looking for. Note, the HTTP endpoints exposed by master for web requests do not impact the internal HTTP endpoints used for communicating with frameworks/slaves.
