[ https://issues.apache.org/jira/browse/MESOS-5335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15289853#comment-15289853 ]
Alexander Rukletsov edited comment on MESOS-5335 at 5/18/16 9:23 PM: --------------------------------------------------------------------- This one should follow the same path we took in MESOS-5336. Once authorization filters land (MESOS-5403), we will be updating the implementation. was (Author: alexr): This one should follow the same path we take in MESOS-5336. Once authorization filters land (MESOS-5403), we will be updating the implementation. > Add authorization to GET /weights > --------------------------------- > > Key: MESOS-5335 > URL: https://issues.apache.org/jira/browse/MESOS-5335 > Project: Mesos > Issue Type: Improvement > Components: master, security > Reporter: Adam B > Labels: mesosphere, security > Fix For: 0.29.0 > > > We already authorize which http users can update weights for particular > roles, but even knowing of the existence of these roles (let alone their > weights) may be sensitive information. We should add authz around GET > operations on /weights. > Easy option: GET_ENDPOINT_WITH_PATH /weights > - Pro: No new verb > - Con: All or nothing > Complex option: GET_WEIGHTS_WITH_ROLE > - Pro: Filters contents based on roles the user is authorized to see > - Con: More authorize calls (one per role in each /weights request) -- This message was sent by Atlassian JIRA (v6.3.4#6332)