CVE-2018-8023: A remote attacker can exploit a vulnerability in the JWT implementation to gain unauthenticated access to Mesos Executor HTTP API.

Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Mesos 1.4.0 to 1.6.0 The unsupported Apache Mesos pre-1.4.0 releases may be also affected. Description: Apache Mesos can be configured to require authentication to call the Executor HTTP API using JSON Web

Re: Subscribe to an active framework through HTTP API Scheduler

es...@piksel.com> wrote: >> >>> Hi, >>> >>> >>> We have a framework with some tasks that we would like to kill but not >>> all framework (teardown), so we would like to use the kill method of the >>> http api scheduler, the proble

Re: Subscribe to an active framework through HTTP API Scheduler

el.montes...@piksel.com> wrote: > >> Hi, >> >> >> We have a framework with some tasks that we would like to kill but not >> all framework (teardown), so we would like to use the kill method of the >> http api scheduler, the problem is that is needed to be

Re: Subscribe to an active framework through HTTP API Scheduler

el.montes...@piksel.com> wrote: > Hi, > > > We have a framework with some tasks that we would like to kill but not all > framework (teardown), so we would like to use the kill method of the http > api scheduler, the problem is that is needed to be suscribed. Creating a > new

Subscribe to an active framework through HTTP API Scheduler

Hi, We have a framework with some tasks that we would like to kill but not all framework (teardown), so we would like to use the kill method of the http api scheduler, the problem is that is needed to be suscribed. Creating a new framework in stream mode and executing the kill method it'

Re: Mesos V1 Operator HTTP API - Java Proto Classes

and > > On Wed, Nov 16, 2016 at 8:34 AM, Zameer Manji wrote: > > > I think this is a bug, I feel the jar should include all v1 protobuf > files. > > > > Vijay, I encourage you to file a ticket. > > > > On Tue, Nov 15, 2016 at 8:04 PM, Vijay Srinivasaraghavan

Re: Mesos V1 Operator HTTP API - Java Proto Classes

8:04 PM, Vijay Srinivasaraghavan < > vijikar...@yahoo.com.invalid> wrote: > >> I believe the HTTP API will use the same underlying message format (proto >> def) and hence the request/response value objects (java) needs to be >> auto-generated from the proto files for it t

Re: Mesos V1 Operator HTTP API - Java Proto Classes

On Tue, Nov 15, 2016 at 8:04 PM, Vijay Srinivasaraghavan < > vijikar...@yahoo.com.invalid> wrote: > >> I believe the HTTP API will use the same underlying message format (proto >> def) and hence the request/response value objects (java) needs to be >> auto-generated fro

Re: Mesos V1 Operator HTTP API - Java Proto Classes

I think this is a bug, I feel the jar should include all v1 protobuf files. Vijay, I encourage you to file a ticket. On Tue, Nov 15, 2016 at 8:04 PM, Vijay Srinivasaraghavan < vijikar...@yahoo.com.invalid> wrote: > I believe the HTTP API will use the same underlying message format (pr

Re: Mesos V1 Operator HTTP API - Java Proto Classes

I believe the HTTP API will use the same underlying message format (proto def) and hence the request/response value objects (java) needs to be auto-generated from the proto files for it to be used in Jersey based java rest client?   On Tuesday, November 15, 2016 12:37 PM, Tomek Janiszewski

Re: Mesos V1 Operator HTTP API - Java Proto Classes

I suspect jar is deprecated and includes only old API used by mesoslib. The goal is to create HTTP API and stop supporting native libs (jars, so, etc). I think you shouldn't use that jar in your project. wt., 15.11.2016, 20:38 użytkownik Vijay Srinivasaraghavan < vijikar...@yahoo.com&

Mesos V1 Operator HTTP API - Java Proto Classes

Hello, I am writing a rest client for "operator APIs" and found that some of the protobuf java classes (like "include/mesos/v1/quota/quota.proto", "include/mesos/v1/master/master.proto") are not included in the mesos jar file. While investigating, I have found that the "Make" file does not inclu

Re: Debugging Scheduler HTTP API Failures

PM, Dario Rexin wrote: >>> >>>> Oh, sorry, I didn't see you actually set the header (wall of text ;) ). >>>> That's an interesting issue, do you set the header case sensitive? I know >>>> headers shouldn't be case sensitive, but mayb

Re: Debugging Scheduler HTTP API Failures

t;mailto:dre...@apple.com>> wrote: >>> Oh, sorry, I didn't see you actually set the header (wall of text ;) ). >>> That's an interesting issue, do you set the header case sensitive? I know >>> headers shouldn't be case sensitive, but maybe there's

Re: Debugging Scheduler HTTP API Failures

sorry, I didn't see you actually set the header (wall of text ;) ). >>> That's an interesting issue, do you set the header case sensitive? I know >>> headers shouldn't be case sensitive, but maybe there's a bug in the Mesos >>> code. I have not seen this is

Re: Debugging Scheduler HTTP API Failures

7;s an interesting issue, do you set the header case sensitive? I know >> headers shouldn't be case sensitive, but maybe there's a bug in the Mesos >> code. I have not seen this issue before. >> >> On Aug 14, 2016, at 5:58 PM, Zameer Manji > <mailto:zm

Re: Debugging Scheduler HTTP API Failures

ing issue, do you set the header case sensitive? I know >> headers shouldn't be case sensitive, but maybe there's a bug in the Mesos >> code. I have not seen this issue before. >> >> On Aug 14, 2016, at 5:58 PM, Zameer Manji wrote: >> >> Hey, >> >

Re: Debugging Scheduler HTTP API Failures

all of text ;) ). > That's an interesting issue, do you set the header case sensitive? I know > headers shouldn't be case sensitive, but maybe there's a bug in the Mesos > code. I have not seen this issue before. > > On Aug 14, 2016, at 5:58 PM, Zameer Manji <m

Re: Debugging Scheduler HTTP API Failures

's a bug in the Mesos > code. I have not seen this issue before. > > On Aug 14, 2016, at 5:58 PM, Zameer Manji wrote: > > Hey, > > I'm using the Mesos HTTP API for the first time. I am currently > encountering an issue where after a successful SUBSCRIBE call and

Re: Debugging Scheduler HTTP API Failures

ug 14, 2016, at 5:58 PM, Zameer Manji wrote: > > Hey, > > I'm using the Mesos HTTP API for the first time. I am currently encountering > an issue where after a successful SUBSCRIBE call and receiving a SUBSCRIBED > and HEARTBEAT event, a subsequent TEARDOWN call fails wit

Re: Debugging Scheduler HTTP API Failures

> I'm using the Mesos HTTP API for the first time. I am currently encountering > an issue where after a successful SUBSCRIBE call and receiving a SUBSCRIBED > and HEARTBEAT event, a subsequent TEARDOWN call fails with HTTP 400 with a > message of "The stream ID include

Debugging Scheduler HTTP API Failures

Hey, I'm using the Mesos HTTP API for the first time. I am currently encountering an issue where after a successful SUBSCRIBE call and receiving a SUBSCRIBED and HEARTBEAT event, a subsequent TEARDOWN call fails with HTTP 400 with a message of "The stream ID included in this request di

[HTTP API] Client Libraries

Hi, We recently committed documentation around available client libraries for the Scheduler /Executor HTTP API’s. Link to doc: https://github.com/a

Re: Documentation for ACCEPT HTTP API

- the list Hi Giulio, You probably remember me, I used to work with Predrag and Jakob and we met when BenH was at CERN. Please let me know how it goes with using HTTP API. The documentation is indeed rough on edges so I am not surprised you're having questions. I'll be happy to setu

Re: Documentation for ACCEPT HTTP API

running in one evening. > > However, if you look at the scheduler-http-api page, you will see that the > documentation for the "ACCEPT" message is completely lacking the description > of what should go into the "operations" field of the JSON payload, unless I > am

Re: Documentation for ACCEPT HTTP API

Dear Jay, thank you for your reply. Yes, I am aware of those pages and that's what I used so far. As I said, they are actually quite clear and allowed me to get a simple "reject all offers" framework up and running in one evening. However, if you look at the scheduler-http-api

Re: Documentation for ACCEPT HTTP API

Hi Giulio,   For scheduler/executor HTTP API, please refer to: http://mesos.apache.org/documentation/latest/scheduler-http-api/ http://mesos.apache.org/documentation/latest/executor-http-api/   If you find anything missing there, let us know.   Also, we are working on Operator HTTP API

Documentation for ACCEPT HTTP API

Dear all, I've started writing a simple framework using node.js and the HTTP Scheduler API. I've managed to subscribe to the event stream, parse messages and decline offers quite easily, however I'm having a bit of trouble accepting the offers and launching tasks, since I cannot find any complete

Re: Are you using New HTTP API Yet ?

9> to address this. > > Since you guys code in Scala, you might want to have a look at Mesos > RxJava: https://github.com/mesosphere/mesos-rxjava > > -anand > > On May 19, 2016, at 1:40 PM, Chris Baker wrote: > > We are moving one of our frameworks to using the HTTP API. We

Re: Are you using New HTTP API Yet ?

/mesos-rxjava <https://github.com/mesosphere/mesos-rxjava> -anand > On May 19, 2016, at 1:40 PM, Chris Baker wrote: > > We are moving one of our frameworks to using the HTTP API. We code in Scala, > and we had originally looked at using the Jesos because I had thought it w

Re: Are you using New HTTP API Yet ?

We are moving one of our frameworks to using the HTTP API. We code in Scala, and we had originally looked at using the Jesos because I had thought it was using the HTTP API, but apparently it is not. Neither is pesos (python). The only one that I've been able to find is mesos-go. Is there a

Are you using New HTTP API Yet ?

Is anyone using the new Mesos HTTP Scheduler/Executor APIs to create frameworks? If so: - what language ? - are you using an existing binding as API wrapper (whichh one) ? - or using your own custom built API wrapper ? - do you prefer old bindings vs newer http-based api ? - any links discussing ab

Re: HTTP API

is willing to help, please reach out to me. I promise to give you my time and shepherd your contributions. Thanks, On Wed, Mar 16, 2016 at 1:38 PM, Zameer Manji wrote: > +1 > > I am also interested in knowing the state of the HTTP API. I have heard > that it stabilizing the API m

Re: HTTP API

Zameer, In case you haven't seen this already, there is already a Java-based scheduler driver for the HTTP API here: https://github.com/mesosphere/mesos-rxjava On Thu, Mar 17, 2016 at 5:26 PM, Zameer Manji wrote: > > On Thu, Mar 17, 2016 at 10:03 AM, Vinod Kone wrote: > >

Re: HTTP API

Aurora, I am interested in removing the dependency in libmesos and creating a Java Scheduler Driver that communicates with the HTTP API. However, it only seems worthwhile to do once the API has stabilized. I'll wait for the API to be finalized and then assess what work needs to be done

Re: HTTP API

+1 I am also interested in knowing the state of the HTTP API. I have heard that it stabilizing the API might be tied with Mesos 1.0 but I don't have a source for that. Can a PMC member comment on what the plan is? On Mon, Mar 14, 2016 at 2:30 PM, Dario Rexin wrote: > Hi all, >

HTTP API

Hi all, since the introduction of the HTTP API in 0.24 around 7.5 months have passed. What are the plans to make this API stable? There are already features (inverse offers) that are exclusively available through this API, so it would be great to have a timeline, as I think for most people

Design doc for HTTP API versioning

Hi folks, As part of our effort to introduce a new HTTP API <https://issues.apache.org/jira/browse/MESOS-2288> for Mesos, we have also started to formulate a plan for how we want to version our API. The design doc for the versioning is here <https://docs.google.com/doc

Re: Design doc for Mesos HTTP API

Hi Tom, If the initial subscription HTTP connection fails the scheduler will not be 'subscribed' ( or its old equivalent : 'registered' ) so it won't be possible to continue making other POST requests. Please refer to the disconnections part of the doc for more details on already 'subscribed' sche

Re: Design doc for Mesos HTTP API

On Fri, May 1, 2015 at 2:23 AM, Tom Arnfeld wrote: > Q: Could you explain in a little detail why the decision was made to use a > single HTTP endpoint rather than something like */event* (for the stream) > and */call* for making calls? It seems a little strange / contrived to me > that the differ

Re: Design doc for Mesos HTTP API

Thanks for sharing this Vinod, very clear and useful document! Q: Could you explain in a little detail why the decision was made to use a single HTTP endpoint rather than something like /event (for the stream) and /call for making calls? It seems a little strange / contrived to me that the d

Re: Design doc for Mesos HTTP API

>>>> On Mon, Mar 9, 2015 at 11:43 AM, James DeFelice < >>>> james.defel...@gmail.com> wrote: >>>> >>>>> Google drive says that I need to request permission to access this. >>>>> >>>>> On Mon, Mar 9, 2

Re: Design doc for Mesos HTTP API

;>>> On Mon, Mar 9, 2015 at 11:43 AM, James DeFelice >>>> wrote: >>>> Google drive says that I need to request permission to access this. >>>> >>>>> On Mon, Mar 9, 2015 at 2:31 PM, Vinod Kone wrote: >>>>> Hi, >>>&g

Re: Design doc for Mesos HTTP API

served from the JIRA activity (MESOS-2288 >>>> <https://issues.apache.org/jira/browse/MESOS-2288>), we have embarked >>>> on the design of a new HTTP API for Mesos. The link for the design doc is >>>> here >>>> <https://docs.google.com/a/twitter

Re: Design doc for Mesos HTTP API

t permission to access this. >> >> On Mon, Mar 9, 2015 at 2:31 PM, Vinod Kone wrote: >> >>> Hi, >>> >>> As you might've observed from the JIRA activity (MESOS-2288 >>> <https://issues.apache.org/jira/browse/MESOS-2288>), we have

Re: Design doc for Mesos HTTP API

Google drive says that I need to request permission to access this. On Mon, Mar 9, 2015 at 2:31 PM, Vinod Kone wrote: > Hi, > > As you might've observed from the JIRA activity (MESOS-2288 > <https://issues.apache.org/jira/browse/MESOS-2288>), we have embarked on > th

Design doc for Mesos HTTP API

Hi, As you might've observed from the JIRA activity (MESOS-2288 <https://issues.apache.org/jira/browse/MESOS-2288>), we have embarked on the design of a new HTTP API for Mesos. The link for the design doc is here <https://docs.google.com/a/twitter.