Some Thoughts on Mesos' Security

Deck today for everyone to hold the content, is a security issue about Mesos . The problem can be said to be a common problem with the current container management tool in the industry. Mesos's team is already trying to solve it. So before the formal solution comes out, we can have a way to avoid it – see how the author thinks about it of.

The author has been studying Mesos for a long time, and in most cases, the process of growing the whole ecosystem around Mesos is enjoyed. It is a very cool thing to manage the server on a large platform for application (or micro service) delivery. While there are some learning curves, Mesos is a very good application configuration tool, and it can be seen as a unified architecture for scale expansion and application management.

But every technology has its own shortcomings and problems, we must be honest and open to be treated in order to make it better applied to enterprise production. Mesos is no exception.

Authentication, open or off

Most open source projects start like this: "If we do X, Y and Z, then we can do this cool thing!" And then only consider the target user's security needs, which is their common problem The The Mesos team has embarked on a road of security from (or optional) to enterprise-class security, but there are still some things that can be considered at this stage, making Mesos more secure.

"For users who do not have authentication, we do not want to break their clusters at the time of the upgrade," said Ben Hindman, Father of Mesos. "Authentication will allow the application framework to be upgraded with enough time. When the application framework can be authenticated and other application frameworks do not support this upgrade path, we have opened a hybrid model to deal with.

Mesos now install the default is not the application framework of the authentication, there is no restrictions can see which application framework. If you use the command line switch, you can modify this default behavior, but the application framework is still open by default. The purpose of this article is to urge everyone to use the command line switch as much as possible in the environment.

The industry standard and Mesos' approach are exactly the opposite – providing a closed security option – but by default it is open. While this would make the initial deployment even more difficult, it was exactly what Mesos needed (from Ben's comments that they might be trying to do).

Mesos' core security issues

The following are some of the core issues:

  1. By default, Mesos allows no authentication. Often, some forms of authentication are needed. More and more OAuth access control is used. See also Stormpath or DigitalOcean such API certification programs.
  2. Mesos uses the "role" to determine which application framework accesses the resource. By default, the application framework can be registered as any role.
  3. Persistent disks (such as databases or contract directories) can be allocated by Mesos. Access is controlled by the role qualifier (the closest point in the historical version) so that they can be used for multiple applications on multiple application frameworks. This also allows an arbitrary and accessible application framework to have the same role as the application framework can be accessed.
  4. Mesos can allocate agents to the nodes in the cluster through mesos fetc as needed. So the distribution of the agent will be a limiting factor in this weakness, which is actually quite simple – an application framework can ask its agent to download to any server in the cluster.
  5. Public application framework development framework.

So Mesos default installation, any machine can click the application framework of the REST API, I can register a framework for their own application architecture. The Mesos system automatically approves the registration, so there is no staff involved in the decision; registration (also called: scheduler subscription) means that no authorization will be approved, and will return to registration information. Considering the low frequency of adding an application framework, this should be a decision-making office with a staff involvement. Note that the earlier application framework developed using libmesos so it could abuse this default, but it was more difficult and therefore less likely to be exploited. The new application framework can apply for the presence of other application framework role, then just wait for Mesos to pass me the right resources, you can access these static resources. These resources may contain any persistent storage disks that are assigned to this role, and can be read and written (because the current Mesos only supports reading and writing).

Again, this is a known problem, the Mesos team is fixing it. But now, users need to decide according to their own environment need to achieve their own.

The solution

The solution is also very simple, there is a command line option to open the application framework authentication, which type of application framework to limit the use of which role. But they need to be turned on – they are all closed by default – to observe the Mesos cluster log, no display application framework registration is the default login settings to log in. Note that role management is an additional overhead, but the application framework is not a big security burden unless you frequently add / remove application frameworks (very unlikely) from the system. The reason why the system is currently designed is that some application framework does not support authentication, so it is necessary to test this function before opening the production environment.

Is the risk of this problem big? Frankly, it depends on the realization process. If the Mesos problem cluster places sensitive information on a persistent storage disk, the risk may be high. If the problem cluster does not do so, there is still a risk of architectural design and a lack of authentication, but the available data – how to protect it outside of Mesos – determines what kind of attack it will suffer. The ability to modify the configuration parameters that run the application is more considerable; HTTP individual redirects can also be cumbersome.

to sum up

In short, the existence of this transition period, let us more aware of the importance of Mesos security, because a failure to comply with the norms of practice, so that other parts of the project by similar security design decisions, it is now in repair Authentication this question.

Because it is different stages of the process, so the realization of almost always and research to explore a different information or problems. There are time to do a few application framework, the information will be upgraded, with a "normal" and an "attacker" to test. In the case of safety, it is best to have a thorough examination of the problem in the case of sufficient documentation, but I have chosen to inform the community before preparing evidence that may be very long.

The significance of this article is to help you use Mesos when you get rid of those known pit, it is recommended that you use the "command line" switch, read the instructions to open the identity, and then achieve it. And it is recommended to limit the role, at least open the switch to validate the application framework and test whether it works in the environment. And then visit the world of Mesos, enjoy the benefits it brings.

Note: Although open source technology has such a problem, but as an excellent Mesos technology framework, those in the large-scale production cluster under the use of many well-known enterprises,
Abroad are: Airbnb, Apple, Cisco, eBay, PayPal, Time Warner Cable, Twitter, Uber, Netflix, Bloomberg, Verizon …
There are: millet, Sina microblogging, love art, where the network … …

Original link: … tions

Heads up! This alert needs your attention, but it's not super important.