[ https://issues.apache.org/jira/browse/MESOS-5335?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yongqiao Wang updated MESOS-5335: --------------------------------- Assignee: (was: Yongqiao Wang) > Add authorization to GET /weights > --------------------------------- > > Key: MESOS-5335 > URL: https://issues.apache.org/jira/browse/MESOS-5335 > Project: Mesos > Issue Type: Improvement > Components: master, security > Reporter: Adam B > Labels: mesosphere, security > Fix For: 0.29.0 > > > We already authorize which http users can update weights for particular > roles, but even knowing of the existence of these roles (let alone their > weights) may be sensitive information. We should add authz around GET > operations on /weights. > Easy option: GET_ENDPOINT_WITH_PATH /weights > - Pro: No new verb > - Con: All or nothing > Complex option: GET_WEIGHTS_WITH_ROLE > - Pro: Filters contents based on roles the user is authorized to see > - Con: More authorize calls (one per role in each /weights request) -- This message was sent by Atlassian JIRA (v6.3.4#6332)