[
https://issues.apache.org/jira/browse/MESOS-9006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17138250#comment-17138250
]
Dong Zhu commented on MESOS-9006:
---------------------------------
[~bbannier] There is no authorization in agent GET_AGENT call, regardless of
reservation or not, agent always return all the agent resources.
[https://github.com/apache/mesos/blob/master/src/slave/http.cpp#L2416-L2443]
There is authorization in master GET_AGENTS call, we should specify correct
principal to display all the reserved resource info.
> The agent's GET_AGENT leaks resource information when using authorization
> -------------------------------------------------------------------------
>
> Key: MESOS-9006
> URL: https://issues.apache.org/jira/browse/MESOS-9006
> Project: Mesos
> Issue Type: Bug
> Reporter: Benjamin Bannier
> Priority: Critical
> Labels: agent, integration, security
>
> While the master's {{GET_AGENTS}} call e.g., filters resources (by using an
> approver with {{VIEW_ROLE}}) so that it does not leak resources the querying
> principal should not be able to see, no such filtering is done in the
> corresponding agent's {{GET_AGENT}} call.
> This call should be authorized as well to not expose information we expect to
> be not visible.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
