----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/49196/#review139764 -----------------------------------------------------------
src/master/http.cpp <https://reviews.apache.org/r/49196/#comment205107> After removing the Authorization Help we need to regenerate the endpoint documentation. I have done so with https://reviews.apache.org/r/49311/ - Joerg Schad On June 27, 2016, 10 a.m., Alexander Rojas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/49196/ > ----------------------------------------------------------- > > (Updated June 27, 2016, 10 a.m.) > > > Review request for mesos, Adam B, Jan Schlicht, and Till Toenshoff. > > > Bugs: MESOS-5706 > https://issues.apache.org/jira/browse/MESOS-5706 > > > Repository: mesos > > > Description > ------- > > The `/flags` endpoints in both, agent and master uses authorization, > however their contents are accesible to third parties by polling > the `/state` endpoint on both. > > This patch disabled authorization for the given endpoint until a > better solution which covers all cases is found. > > > Diffs > ----- > > src/master/http.cpp d55aa05c76bb2b1fb17b795510fd50c021cdb995 > src/master/master.hpp 648f1a217cc7bbb154a9d7a2a8b2c5d02087af03 > src/slave/http.cpp c038bf0c9680ec86f77f1a27efeb7354a9e67627 > src/tests/master_authorization_tests.cpp > 1cda523f25242c317817e0073b68651fddfade85 > src/tests/slave_authorization_tests.cpp > 18bcb0e499a9d2d84113b5b9e609e5e40913ebcc > > Diff: https://reviews.apache.org/r/49196/diff/ > > > Testing > ------- > > `make check`, manual testing using a browser and the following script: > > ```sh > #! /usr/bin/env bash > > rm -rf /tmp/mesos/* > > cat <<EOF > /tmp/credentials.txt > foo bar > baz bar > EOF > > cat <<EOF > /tmp/acls.json > { > "permissive": false, > "get_endpoints" : [ > { > "principals" : { "values" : ["foo"] }, > "paths" : { "type" : "ANY" } > } > ] > } > EOF > > ./bin/mesos-master.sh --work_dir=/tmp/mesos/master \ > --authenticate_http \ > --log_dir=/tmp/mesos/logs/master \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > ./bin/mesos-slave.sh --work_dir=/tmp/mesos/slave \ > --master=127.0.0.1:5050 \ > --authenticate_http \ > --http_credentials=file:///tmp/credentials.txt \ > --acls=file:///tmp/acls.json & > > # This should return the flags, foo is authorized > # to check all endpoints. > http GET http://127.0.0.1:5051/flags -a foo:bar > > # This should return the flags, the endpoint doesn't > # requires authorization. > http GET http://127.0.0.1:5051/flags -a baz:bar > > # This should return 401 Unauthorized, the user bar > # is not known. > http GET http://127.0.0.1:5051/flags -a bar:bar > ``` > > > Thanks, > > Alexander Rojas > >