Allow internal access to admin router without auth

Description

In brave new DCOS it's impossible to call admin router from a slave/agent unless you provide an auth token.

using admin router to access service APIs is an important method of service discovery

e.g. cassandra
curl http://leader.mesos/service/cassandra/v1/nodes/connect

e.g. Kafka
curl http://leader.mesos/service/cassandra/v1/connection

example use case 1:
I use Spark with Cassandra driver. The Cassandra driver needs 1 (or more) cassandra addresses (iport) to bootstrap itself. How am I supposed to get this? Querying above API is a good solution.

example use case 2:
I have an app that writes to Kafka. My app needs 1 (or more) kafka broker addresses (iport) to bootstrap itself. How am I supposed to get this? Querying above API is a good solution.

It's not practical or particularly good for security if I have to give every app an auth token to use the above APIs.

To allow internal calls to admin router I suggest having the option of running admin router without the auth layer on a separate port that is not accessible (i.e. using firewall restrictions) from outside the cluster.

Assignee

Albert Strasheim

Labels

Configure