[
https://issues.apache.org/jira/browse/MESOS-3024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621487#comment-14621487
]
Till Toenshoff commented on MESOS-3024:
---------------------------------------
+1 for undesired coupling of master provided credentials with authentication
activation. Let's keep in mind that e.g. ticket based authentication mechanisms
do not require credentials.
+1 for getting rid of the authentication requirement activation via the
"authenticate" and "authenticate_slaves" flags and instead using the ACLs.
> HTTP endpoint authN is enabled merely by specifying --credentials
> -----------------------------------------------------------------
>
> Key: MESOS-3024
> URL: https://issues.apache.org/jira/browse/MESOS-3024
> Project: Mesos
> Issue Type: Bug
> Components: master, security
> Reporter: Adam B
> Labels: authentication, http, mesosphere
>
> If I set `--credentials` on the master, framework and slave authentication
> are allowed, but not required. On the other hand, http authentication is now
> required for authenticated endpoints (currently only `/shutdown`). That means
> that I cannot enable framework or slave authentication without also enabling
> http endpoint authentication. This is undesirable.
> Framework and slave authentication have separate flags (`--authenticate` and
> `--authenticate_slaves`) to require authentication for each. It would be
> great if there was also such a flag for framework authentication. Or maybe we
> get rid of these flags altogether and rely on ACLs to determine which
> unauthenticated principals are even allowed to authenticate for each
> endpoint/action.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
