[
https://issues.apache.org/jira/browse/MESOS-7203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Greg Mann updated MESOS-7203:
-----------------------------
Description:
The current HTTP authentication implementation in Mesos makes it difficult to
properly authorize some operations when authentication is not enabled. The
{{UNRESERVE}} and {{DESTROY}} operations use a {{principal}} field stored in
{{ReservationInfo}}/{{DiskInfo}} for authorization. This means that in order to
authorize properly, the principal responsible for the reservation/volume must
be available when the {{RESERVE}}/{{CREATE}} operation is performed. However,
if HTTP authentication is not enabled, then operators are not able to provide a
principal.
In order to resolve this issue, a new {{\-\-require_http_authentication}} field
could be added. This flag would complement the {{\-\-http_authenticators}}
flag. The new behavior would be as follows:
* If {{\-\-http_authenticators}} is set but {{\-\-require_http_authentication}}
is not set, the authenticators would be loaded as specified, but
unauthenticated requests would be permitted. In the case of an HTTP request
containing an {{Authorization}} header, the header would be used to construct a
{{Principal}} to be passed to the handlers.
* If {{\-\-http_authenticators}} is set and {{\-\-require_http_authentication}}
is also set, the {{Principal}} would be extracted and passed to handlers as
before, but all requests without an authenticated principal would be rejected.
was:
The current HTTP authentication implementation in Mesos makes it difficult to
properly authorize some operations when authentication is not enabled. The
{{UNRESERVE}} and {{DESTROY}} operations use a {{principal}} field stored in
{{ReservationInfo}}/{{DiskInfo}} for authorization. This means that in order to
authorize properly, the principal responsible for the reservation/volume must
be available when the {{RESERVE}}/{{CREATE}} operation is performed. However,
if HTTP authentication is not enabled, then operators are not able to provide a
principal.
In order to resolve this issue, a new {{--require_http_authentication}} field
could be added. This flag would complement the {{--http_authenticators}} flag.
The new behavior would be as follows:
* If {{--http_authenticators}} is set but {{--require_http_authentication}} is
not set, the authenticators would be loaded as specified, but unauthenticated
requests would be permitted. In the case of an HTTP request containing an
{{Authorization}} header, the header would be used to construct a {{Principal}}
to be passed to the handlers.
* If {{--http_authenticators}} is set and {{--require_http_authentication}} is
also set, the {{Principal}} would be extracted and passed to handlers as
before, but all requests without an authenticated principal would be rejected.
> Add a '--require_http_authentication' flag
> ------------------------------------------
>
> Key: MESOS-7203
> URL: https://issues.apache.org/jira/browse/MESOS-7203
> Project: Mesos
> Issue Type: Improvement
> Components: security
> Reporter: Greg Mann
> Labels: authentication, http, mesosphere
>
> The current HTTP authentication implementation in Mesos makes it difficult to
> properly authorize some operations when authentication is not enabled. The
> {{UNRESERVE}} and {{DESTROY}} operations use a {{principal}} field stored in
> {{ReservationInfo}}/{{DiskInfo}} for authorization. This means that in order
> to authorize properly, the principal responsible for the reservation/volume
> must be available when the {{RESERVE}}/{{CREATE}} operation is performed.
> However, if HTTP authentication is not enabled, then operators are not able
> to provide a principal.
> In order to resolve this issue, a new {{\-\-require_http_authentication}}
> field could be added. This flag would complement the
> {{\-\-http_authenticators}} flag. The new behavior would be as follows:
> * If {{\-\-http_authenticators}} is set but
> {{\-\-require_http_authentication}} is not set, the authenticators would be
> loaded as specified, but unauthenticated requests would be permitted. In the
> case of an HTTP request containing an {{Authorization}} header, the header
> would be used to construct a {{Principal}} to be passed to the handlers.
> * If {{\-\-http_authenticators}} is set and
> {{\-\-require_http_authentication}} is also set, the {{Principal}} would be
> extracted and passed to handlers as before, but all requests without an
> authenticated principal would be rejected.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
