[
https://issues.apache.org/jira/browse/MESOS-5335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15289853#comment-15289853
]
Alexander Rukletsov edited comment on MESOS-5335 at 5/18/16 9:23 PM:
---------------------------------------------------------------------
This one should follow the same path we took in MESOS-5336. Once authorization
filters land (MESOS-5403), we will be updating the implementation.
was (Author: alexr):
This one should follow the same path we take in MESOS-5336. Once authorization
filters land (MESOS-5403), we will be updating the implementation.
> Add authorization to GET /weights
> ---------------------------------
>
> Key: MESOS-5335
> URL: https://issues.apache.org/jira/browse/MESOS-5335
> Project: Mesos
> Issue Type: Improvement
> Components: master, security
> Reporter: Adam B
> Labels: mesosphere, security
> Fix For: 0.29.0
>
>
> We already authorize which http users can update weights for particular
> roles, but even knowing of the existence of these roles (let alone their
> weights) may be sensitive information. We should add authz around GET
> operations on /weights.
> Easy option: GET_ENDPOINT_WITH_PATH /weights
> - Pro: No new verb
> - Con: All or nothing
> Complex option: GET_WEIGHTS_WITH_ROLE
> - Pro: Filters contents based on roles the user is authorized to see
> - Con: More authorize calls (one per role in each /weights request)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
