[ https://issues.apache.org/jira/browse/MESOS-7203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Greg Mann updated MESOS-7203: ----------------------------- Description: The current HTTP authentication implementation in Mesos makes it difficult to properly authorize some operations when authentication is not enabled. The {{UNRESERVE}} and {{DESTROY}} operations use a {{principal}} field stored in {{ReservationInfo}}/{{DiskInfo}} for authorization. This means that in order to authorize properly, the principal responsible for the reservation/volume must be available when the {{RESERVE}}/{{CREATE}} operation is performed. However, if HTTP authentication is not enabled, then operators are not able to provide a principal. In order to resolve this issue, a new {{\-\-require_http_authentication}} field could be added. This flag would complement the {{\-\-http_authenticators}} flag. The new behavior would be as follows: * If {{\-\-http_authenticators}} is set but {{\-\-require_http_authentication}} is not set, the authenticators would be loaded as specified, but unauthenticated requests would be permitted. In the case of an HTTP request containing an {{Authorization}} header, the header would be used to construct a {{Principal}} to be passed to the handlers. * If {{\-\-http_authenticators}} is set and {{\-\-require_http_authentication}} is also set, the {{Principal}} would be extracted and passed to handlers as before, but all requests without an authenticated principal would be rejected. was: The current HTTP authentication implementation in Mesos makes it difficult to properly authorize some operations when authentication is not enabled. The {{UNRESERVE}} and {{DESTROY}} operations use a {{principal}} field stored in {{ReservationInfo}}/{{DiskInfo}} for authorization. This means that in order to authorize properly, the principal responsible for the reservation/volume must be available when the {{RESERVE}}/{{CREATE}} operation is performed. However, if HTTP authentication is not enabled, then operators are not able to provide a principal. In order to resolve this issue, a new {{--require_http_authentication}} field could be added. This flag would complement the {{--http_authenticators}} flag. The new behavior would be as follows: * If {{--http_authenticators}} is set but {{--require_http_authentication}} is not set, the authenticators would be loaded as specified, but unauthenticated requests would be permitted. In the case of an HTTP request containing an {{Authorization}} header, the header would be used to construct a {{Principal}} to be passed to the handlers. * If {{--http_authenticators}} is set and {{--require_http_authentication}} is also set, the {{Principal}} would be extracted and passed to handlers as before, but all requests without an authenticated principal would be rejected. > Add a '--require_http_authentication' flag > ------------------------------------------ > > Key: MESOS-7203 > URL: https://issues.apache.org/jira/browse/MESOS-7203 > Project: Mesos > Issue Type: Improvement > Components: security > Reporter: Greg Mann > Labels: authentication, http, mesosphere > > The current HTTP authentication implementation in Mesos makes it difficult to > properly authorize some operations when authentication is not enabled. The > {{UNRESERVE}} and {{DESTROY}} operations use a {{principal}} field stored in > {{ReservationInfo}}/{{DiskInfo}} for authorization. This means that in order > to authorize properly, the principal responsible for the reservation/volume > must be available when the {{RESERVE}}/{{CREATE}} operation is performed. > However, if HTTP authentication is not enabled, then operators are not able > to provide a principal. > In order to resolve this issue, a new {{\-\-require_http_authentication}} > field could be added. This flag would complement the > {{\-\-http_authenticators}} flag. The new behavior would be as follows: > * If {{\-\-http_authenticators}} is set but > {{\-\-require_http_authentication}} is not set, the authenticators would be > loaded as specified, but unauthenticated requests would be permitted. In the > case of an HTTP request containing an {{Authorization}} header, the header > would be used to construct a {{Principal}} to be passed to the handlers. > * If {{\-\-http_authenticators}} is set and > {{\-\-require_http_authentication}} is also set, the {{Principal}} would be > extracted and passed to handlers as before, but all requests without an > authenticated principal would be rejected. -- This message was sent by Atlassian JIRA (v6.3.15#6346)