Re: Review Request 49196: Disabled authorization from the `/flags` endpoints.

Fri, 24 Jun 2016 07:20:12 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/49196/
-----------------------------------------------------------

(Updated June 24, 2016, 4:19 p.m.)


Review request for mesos, Adam B, Jan Schlicht, and Till Toenshoff.


Changes
-------

Removed unused code.


Bugs: MESOS-5706
    https://issues.apache.org/jira/browse/MESOS-5706


Repository: mesos


Description
-------

The `/flags` endpoints in both, agent and master uses authorization,
however their contents are accesible to third parties by polling
the `/state` endpoint on both.

This patch disabled authorization for the given endpoint until a
better solution which covers all cases is found.


Diffs (updated)
-----

  src/master/http.cpp 837fba661a82d07e95bc2de6d08158002147131a 
  src/master/master.hpp e983d1ba6ebcdaf2ace419201659e53edaa2a0aa 
  src/slave/http.cpp c038bf0c9680ec86f77f1a27efeb7354a9e67627 
  src/tests/master_authorization_tests.cpp 
9ae6b9dc89538716d397ffd8826187e2bc6d7e8f 
  src/tests/slave_authorization_tests.cpp 
18bcb0e499a9d2d84113b5b9e609e5e40913ebcc 

Diff: https://reviews.apache.org/r/49196/diff/


Testing
-------

`make check`, manual testing using a browser and the following script:

```sh
#! /usr/bin/env bash

rm -rf /tmp/mesos/*

cat <<EOF > /tmp/credentials.txt
foo bar
baz bar
EOF

cat <<EOF > /tmp/acls.json
{
  "permissive": false,
  "get_endpoints" : [
   {
     "principals" : { "values" : ["foo"] },
     "paths" : { "type" : "ANY" }
   }
  ]
}
EOF

./bin/mesos-master.sh --work_dir=/tmp/mesos/master \
                     --authenticate_http \
                     --log_dir=/tmp/mesos/logs/master \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &
./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \
                     --master=127.0.0.1:5050 \
                     --authenticate_http \
                     --http_credentials=file:///tmp/credentials.txt \
                     --acls=file:///tmp/acls.json &

# This should return the flags, foo is authorized
# to check all endpoints.
http GET http://127.0.0.1:5051/flags -a foo:bar

# This should return the flags, the endpoint doesn't
# requires authorization.
http GET http://127.0.0.1:5051/flags -a baz:bar

# This should return 401 Unauthorized, the user bar
# is not known.
http GET http://127.0.0.1:5051/flags -a bar:bar
```


Thanks,

Alexander Rojas

Reply via email to