Details

      Description

      (Tests done in 1.4.3)

      Currently /v2/info leaks credentials used by Marathon to get read accesses on /mesos.

      It's not critical for those who have separate credentials for /marathon and /mesos, but in any case I guess that, since it is not used by anyone (UI, DC/OS ?), it should not be present.

      Since the UI actively uses /v2/info, it's not possible to simply restrict the access through a reverse-proxy.

      Here is the pointer in the codebase:
      https://github.com/mesosphere/marathon/blob/master/src/main/scala/mesosphere/marathon/api/v2/InfoResource.scala#L30
      Compared to: https://github.com/mesosphere/marathon/blob/master/src/main/scala/mesosphere/marathon/api/v2/InfoResource.scala#L53

        Attachments

          Activity

            People

            • Assignee:
              tharper Tim Harper
              Reporter:
              pierrecdn Pierre C.
              Team:
              Orchestration Team
              Watchers:
              Jan-Philip Gehrcke, Ken Sipe, Mergebot, Pierre C., Tim Harper
            • Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: