Allow internal access to admin router without auth

Description

In brave new DCOS it's impossible to call admin router from a slave/agent unless you provide an auth token.

using admin router to access service APIs is an important method of service discovery

e.g. cassandra
curl http://leader.mesos/service/cassandra/v1/nodes/connect

e.g. Kafka
curl http://leader.mesos/service/cassandra/v1/connection

example use case 1:
I use Spark with Cassandra driver. The Cassandra driver needs 1 (or more) cassandra addresses (iport) to bootstrap itself. How am I supposed to get this? Querying above API is a good solution.

example use case 2:
I have an app that writes to Kafka. My app needs 1 (or more) kafka broker addresses (iport) to bootstrap itself. How am I supposed to get this? Querying above API is a good solution.

It's not practical or particularly good for security if I have to give every app an auth token to use the above APIs.

To allow internal calls to admin router I suggest having the option of running admin router without the auth layer on a separate port that is not accessible (i.e. using firewall restrictions) from outside the cluster.

Activity

Show:
Cody Maloney
May 17, 2016, 10:29 PM

You could disable the auth altogether if you want to do this currently.

From a practical point of view, access to AdminRouter (Even internally) allows you to do absolutely anything with the cluster. As AdminRouter becomes a more trusted entity (permissions to do things which require auth, and the cluster gets more auth), it becomes more critical that AdminRouter be locked down.

We really want to cut off the attack vector of:
a user gets a shell on a box anywhere in the cluster (using some exploit of the software), noticing it is a DC/OS install, they get a simple curl / wget available to their shell. They then send http requests to AdminRouter to install new services, add / remove users, etc. They are superusers.

Won't Do

Assignee

Albert Strasheim

Labels