[jira] [Updated] (MESOS-3024) HTTP endpoint authN is enabled merely by specifying --credentials

[Adam B (JIRA)]

     [ 
https://issues.apache.org/jira/browse/MESOS-3024?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Adam B updated MESOS-3024:
--------------------------
    Description: 
If I set `--credentials` on the master, framework and slave authentication are 
allowed, but not required. On the other hand, http authentication is now 
required for authenticated endpoints (currently only `/shutdown`). That means 
that I cannot enable framework or slave authentication without also enabling 
http endpoint authentication. This is undesirable.

Framework and slave authentication have separate flags (`\--authenticate` and 
`\--authenticate_slaves`) to require authentication for each. It would be great 
if there was also such a flag for framework authentication. Or maybe we get rid 
of these flags altogether and rely on ACLs to determine which unauthenticated 
principals are even allowed to authenticate for each endpoint/action.

  was:
If I set `--credentials` on the master, framework and slave authentication are 
allowed, but not required. On the other hand, http authentication is now 
required for authenticated endpoints (currently only `/shutdown`). That means 
that I cannot enable framework or slave authentication without also enabling 
http endpoint authentication. This is undesirable.

Framework and slave authentication have separate flags (`--authenticate` and 
`--authenticate_slaves`) to require authentication for each. It would be great 
if there was also such a flag for framework authentication. Or maybe we get rid 
of these flags altogether and rely on ACLs to determine which unauthenticated 
principals are even allowed to authenticate for each endpoint/action.


> HTTP endpoint authN is enabled merely by specifying --credentials
> -----------------------------------------------------------------
>
>                 Key: MESOS-3024
>                 URL: https://issues.apache.org/jira/browse/MESOS-3024
>             Project: Mesos
>          Issue Type: Bug
>          Components: master, security
>            Reporter: Adam B
>              Labels: authentication, http, mesosphere
>
> If I set `--credentials` on the master, framework and slave authentication 
> are allowed, but not required. On the other hand, http authentication is now 
> required for authenticated endpoints (currently only `/shutdown`). That means 
> that I cannot enable framework or slave authentication without also enabling 
> http endpoint authentication. This is undesirable.
> Framework and slave authentication have separate flags (`\--authenticate` and 
> `\--authenticate_slaves`) to require authentication for each. It would be 
> great if there was also such a flag for framework authentication. Or maybe we 
> get rid of these flags altogether and rely on ACLs to determine which 
> unauthenticated principals are even allowed to authenticate for each 
> endpoint/action.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)