[
https://issues.apache.org/jira/browse/MESOS-9006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17136594#comment-17136594
]
Benjamin Bannier commented on MESOS-9006:
-----------------------------------------
[~dzhu], this is about leaking related to the {{VIEW_ROLE}} authorizer action.
To see the issue reserve some resources to a role, then query the agent info
with {{GET_AGENT}} with a principal not authorized to view that role.
> The agent's GET_AGENT leaks resource information when using authorization
> -------------------------------------------------------------------------
>
> Key: MESOS-9006
> URL: https://issues.apache.org/jira/browse/MESOS-9006
> Project: Mesos
> Issue Type: Bug
> Reporter: Benjamin Bannier
> Priority: Critical
> Labels: agent, integration, security
>
> While the master's {{GET_AGENTS}} call e.g., filters resources (by using an
> approver with {{VIEW_ROLE}}) so that it does not leak resources the querying
> principal should not be able to see, no such filtering is done in the
> corresponding agent's {{GET_AGENT}} call.
> This call should be authorized as well to not expose information we expect to
> be not visible.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
