[
https://issues.apache.org/jira/browse/MESOS-5335?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gavin updated MESOS-5335:
-------------------------
Comment: was deleted
(was: www.rtat.net)
> Add authorization to GET /weights.
> ----------------------------------
>
> Key: MESOS-5335
> URL: https://issues.apache.org/jira/browse/MESOS-5335
> Project: Mesos
> Issue Type: Improvement
> Components: master, security
> Reporter: Adam B
> Assignee: zhou xing
> Priority: Major
> Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> We already authorize which http users can update weights for particular
> roles, but even knowing of the existence of these roles (let alone their
> weights) may be sensitive information. We should add authz around GET
> operations on /weights.
> Easy option: GET_ENDPOINT_WITH_PATH /weights
> - Pro: No new verb
> - Con: All or nothing
> Complex option: GET_WEIGHTS_WITH_ROLE
> - Pro: Filters contents based on roles the user is authorized to see
> - Con: More authorize calls (one per role in each /weights request)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
