[
https://issues.apache.org/jira/browse/MESOS-5705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gavin updated MESOS-5705:
-------------------------
Comment: was deleted
(was: www.rtat.net)
> ZK credential is exposed in /flags and /state
> ---------------------------------------------
>
> Key: MESOS-5705
> URL: https://issues.apache.org/jira/browse/MESOS-5705
> Project: Mesos
> Issue Type: Task
> Components: master, security
> Reporter: Adam B
> Assignee: Alexander Rojas
> Priority: Blocker
> Labels: mesosphere, security
> Fix For: 1.0.0
>
>
> Mesos allows zk credentials to be embedded in the zk url, but exposes these
> credentials in the /flags and /state endpoint. Even though /state is
> authorized, it only filters out frameworks/tasks, so the top-level flags are
> shown to any authenticated user.
> "zk": "zk://dcos_mesos_master:[email protected]:2181/mesos",
> We need to find some way to hide this data, or even add a first-class
> VIEW_FLAGS acl that applies to any endpoint that exposes flags.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
