Greg Mann created MESOS-7203: -------------------------------- Summary: Add a '--require_http_authentication' flag Key: MESOS-7203 URL: https://issues.apache.org/jira/browse/MESOS-7203 Project: Mesos Issue Type: Improvement Components: security Reporter: Greg Mann
The current HTTP authentication implementation in Mesos makes it difficult to properly authorize some operations when authentication is not enabled. The {{UNRESERVE}} and {{DESTROY}} operations use a {{principal}} field stored in {{ReservationInfo}}/{{DiskInfo}} for authorization. This means that in order to authorize properly, the principal responsible for the reservation/volume must be available when the {{RESERVE}}/{{CREATE}} operation is performed. However, if HTTP authentication is not enabled, then operators are not able to provide a principal. In order to resolve this issue, a new {{--require_http_authentication}} field could be added. This flag would complement the {{--http_authenticators}} flag. The new behavior would be as follows: * If {{--http_authenticators}} is set but {{--require_http_authentication}} is not set, the authenticators would be loaded as specified, but unauthenticated requests would be permitted. In the case of an HTTP request containing an {{Authorization}} header, the header would be used to construct a {{Principal}} to be passed to the handlers. * If {{--http_authenticators}} is set and {{--require_http_authentication}} is also set, the {{Principal}} would be extracted and passed to handlers as before, but all requests without an authenticated principal would be rejected. -- This message was sent by Atlassian JIRA (v6.3.15#6346)