[ https://issues.apache.org/jira/browse/MESOS-5851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15389134#comment-15389134 ]
Greg Mann commented on MESOS-5851: ---------------------------------- Here's a simple patch for documentation updates to configuration.md and authentication.md: https://reviews.apache.org/r/50322/ And updates to the CHANGELOG and upgrades.md: https://reviews.apache.org/r/50332/ https://reviews.apache.org/r/50333/ And here are a few patches which alter the endpoint help strings to mention if an endpoint is read-only or read-write. These are bigger changes, so not sure if we want to try to merge them at the moment: https://reviews.apache.org/r/50329/ https://reviews.apache.org/r/50330/ https://reviews.apache.org/r/50331/ > Create mechanism to control authentication between different HTTP endpoints > --------------------------------------------------------------------------- > > Key: MESOS-5851 > URL: https://issues.apache.org/jira/browse/MESOS-5851 > Project: Mesos > Issue Type: Bug > Components: libprocess > Affects Versions: 1.0.0 > Reporter: Zhitao Li > Assignee: Zhitao Li > Labels: mesosphere, security > Fix For: 1.0.0 > > > All endpoints authentication is controlled by one single flag. We need this > flag to be on so that `/reserve` `/unreserve` can get a principal. > However, after 1.0, we cannot access important readonly endpoints > `/master/state/` and `/metric/snapshot/` anymore w/o a password. The latter > is detrimental on usability because many users don't have the supporting > infra to distribute such metrics into every metrics collecting process yet. > I'm looking towards a mechanism to at least allow unauthenticated access to > selective whitelisted endpoints while keep endpoints requiring AuthN/AuthZ > still protected. > quoting Joseph Wu, "we want a `--authenticate_http=true, but don't check` > option" > Proposed endpoint to realm grouping by [~zhitao] > {quote} > ///////////// > // Common realms shared by both master and agent > //////////// > FLAGS > - /flags > > FILES > - /files/browse > - /files/browse.json > - /files/debug > - /files/debug.json > - /files/download > - /files/download.json > - /files/read > - /files/read.json > > LOGGING > - /logging/toggle > > METRICS > - /metrics/snapshot > > PROFILER > - /profiler/start > - /profiler/stop > > SYSTEMS > - /system/stats.json > > VERSIONS > - /version > > ///////////////// > // Additional master only realms > //////////////// > MAINTENANCE > - /machine/down > - /machine/up > - /maintenance/schedule > - /maintenance/status > > OPERATORS > - /api/v1 > > SCHEDULERS > - /api/v1/scheduler > > REGISTRARS > - /registrar(id)/registry > > RESERVATIONS > - /reserve > - /unreserve > - /quota > - /weights > > TEARDOWN > - /teardown > > VIEWS > - /frameworks > - /roles > - /roles.json > - /slaves > - /state > - /state-summary > - /state.json > - /tasks > - /tasks.json > > VOLUMES > - /create-volumes > - /destroy-volumes > > UNAUTHENTICATED > - /health > - /redirect > > //////////////// > // Additional agent realms > //////////////// > > OPERATORS > - /api/v1 > > VIEWS > - /containers > - /monitor/statistics > - /monitor/statistics.json > - /state > - /state.json > > UNAUTHENTICATED > - /api/v1/executor > - /health > {quote} -- This message was sent by Atlassian JIRA (v6.3.4#6332)