Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.4.1
-
Mesosphere Sprint 72
Description
No matter how one configures mesos, either by passing the ZooKeeper flags in the command line or using a file, as follows:
./bin/mesos-master.sh --work_dir=/tmp/$USER/mesos/master --log_dir=/tmp/$USER/mesos/master/log --zk=zk://${zk_username}:${zk_password}@${zk_addr}/mesos --quorum=1
echo "zk://${zk_username}:${zk_password}@${zk_addr}/mesos" > /tmp/${USER}/mesos/zk_config.txt
./bin/mesos-master.sh --work_dir=/tmp/$USER/mesos/master --log_dir=/tmp/$USER/mesos/master/log --zk=/tmp/${USER}/mesos/zk_config.txt
both the logs and the results of the /flags endpoint will resolve to the contents of the flags, i.e.:
I0108 10:12:50.387522 28579 master.cpp:458] Flags at startup: --agent_ping_timeout="15secs" --agent_reregister_timeout="10mins" --allocation_interval="1secs" --allocator="HierarchicalDRF" --authenticate_agents="false" --authenticate_frameworks="false" --authenticate_http_frameworks="false" --authenticate_http_readonly="false" --authenticate_http_readwrite="false" --authenticators="crammd5" --authorizers="local" --filter_gpu_resources="true" --framework_sorter="drf" --help="false" --hostname_lookup="true" --http_authenticators="basic" --initialize_driver_logging="true" --log_auto_initialize="true" --log_dir="/tmp/user/mesos/master/log" --logbufsecs="0" --logging_level="INFO" --max_agent_ping_timeouts="5" --max_completed_frameworks="50" --max_completed_tasks_per_framework="1000" --max_unreachable_tasks_per_framework="1000" --port="5050" --quiet="false" --quorum="1" --recovery_agent_removal_limit="100%" --registry="replicated_log" --registry_fetch_timeout="1mins" --registry_gc_interval="15mins" --registry_max_agent_age="2weeks" --registry_max_agent_count="102400" --registry_store_timeout="20secs" --registry_strict="false" --require_agent_domain="false" --root_submissions="true" --user_sorter="drf" --version="false" --webui_dir="/home/user/mesos/build/../src/webui" --work_dir="/tmp/user/mesos/master" --zk="zk://user@passwd:127.0.0.1:2181/mesos" --zk_session_timeout="10secs"
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Length: 591
Content-Type: application/json
Date: Mon, 08 Jan 2018 15:12:53 GMT
{
"flags": {
"agent_ping_timeout": "15secs",
"agent_reregister_timeout": "10mins",
"allocation_interval": "1secs",
"allocator": "HierarchicalDRF",
"authenticate_agents": "false",
"authenticate_frameworks": "false",
"authenticate_http_frameworks": "false",
"authenticate_http_readonly": "false",
"authenticate_http_readwrite": "false",
"authenticators": "crammd5",
"authorizers": "local",
"filter_gpu_resources": "true",
"framework_sorter": "drf",
"help": "false",
"hostname_lookup": "true",
"http_authenticators": "basic",
"initialize_driver_logging": "true",
"log_auto_initialize": "true",
"log_dir": "/tmp/user/mesos/master/log",
"logbufsecs": "0",
"logging_level": "INFO",
"max_agent_ping_timeouts": "5",
"max_completed_frameworks": "50",
"max_completed_tasks_per_framework": "1000",
"max_unreachable_tasks_per_framework": "1000",
"port": "5050",
"quiet": "false",
"quorum": "1",
"recovery_agent_removal_limit": "100%",
"registry": "replicated_log",
"registry_fetch_timeout": "1mins",
"registry_gc_interval": "15mins",
"registry_max_agent_age": "2weeks",
"registry_max_agent_count": "102400",
"registry_store_timeout": "20secs",
"registry_strict": "false",
"require_agent_domain": "false",
"root_submissions": "true",
"user_sorter": "drf",
"version": "false",
"webui_dir": "/home/user/mesos/build/../src/webui",
"work_dir": "/tmp/user/mesos/master",
"zk": "zk://user@passwd:127.0.0.1:2181/mesos",
"zk_session_timeout": "10secs"
}
}
Which leads to having no effective way to prevent the passwords to be shown if someone can get the hands in either of the previous methods.
Attachments
Issue Links
- relates to
-
MESOS-7292 Introduce a "sensitive mode" in Mesos which prevents leaks of sensitive data.
-
- Accepted
-