Granting Access to Jobs

ENTERPRISE

Granting access to jobs using the CLI or the UI

You can implement fine-grained user access to jobs by using either the DC/OS UI, the CLI or the API. The Metronome permissions allow you to restrict a user’s access to jobs on either a per job or a per job group basis. This section walks you through the steps to accomplish this.

Prerequisites:

Via the DC/OS UI

  1. Log into the DC/OS UI as a user with the superuser permission.

    Login

    Figure 1. DC/OS UI login

  2. Select Organization and choose Users or Groups.

  3. Select the name of the user or group to grant the permission to.

    Add permission cory

    Figure 2. Choose user or group to add permissions to

  4. From the Permissions tab, click ADD PERMISSION.

  5. Click INSERT PERMISSION STRING to toggle the dialog.

    Add permission

    Figure 3. Add permissions

  6. Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode.

    Permissive

    • DC/OS jobs access:

      Specify your job group (<job-group>), job name (<job-name>), and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:metronome:metronome:jobs:<job-group>/<job-name> read,update.

      1. dcos:adminrouter:service:metronome full
      2. dcos:service:metronome:metronome:jobs:<job-group>/<job-name> <action>

    • DC/OS service tasks and logs:

      1. dcos:adminrouter:ops:mesos full
      2. dcos:adminrouter:ops:slave full
  1. ### Strict
  3. -   **DC/OS jobs access:**
  5.     Specify your job group (`<job-group>`), job name (`<job-name>`), and action (`<action>`). Actions can be either `create`, `read`, `update`, `delete`, or `full`. To permit more than one operation, use a comma to separate them, for example: `dcos:service:metronome:metronome:jobs:<job-group>/<job-name> read,update`.
  7.     ```
  8.     dcos:adminrouter:service:metronome full
  9.     dcos:service:metronome:metronome:jobs:<job-group>/<job-name> <action>
  10.     ```
  12. -   **DC/OS service tasks and logs:**
  14.     ```
  15.     dcos:adminrouter:ops:mesos full
  16.     dcos:adminrouter:ops:slave full
  17.     dcos:mesos:master:framework:role:* read
  18.     dcos:mesos:master:executor:app_id:/<job-group>/<job-name> read
  19.     dcos:mesos:master:task:app_id:/<job-group>/<job-name> read
  20.     dcos:mesos:agent:framework:role:* read
  21.     dcos:mesos:agent:executor:app_id:/<job-group>/<job-name> read
  22.     dcos:mesos:agent:task:app_id:/<job-group>/<job-name> read
  23.     dcos:mesos:agent:sandbox:app_id:/<job-group>/<job-name> read
  24.     ```
  1. Click ADD PERMISSIONS and then Close.

Via the CLI

Prerequisites:

Tips:

  • To grant permissions to a group instead of a user, replace users grant <user-name> with groups grant <gid>.

Permissive

  • DC/OS jobs access:

    1. Grant the permission to job group (<job-group>) and job name (<job-name>).

      1. dcos security org users grant <user-name> adminrouter:service:metronome full --description "Controls access to Metronome services"
      2. dcos security org users grant <user-name> service:metronome:metronome:jobs:<job-group>/<job-name> full --description "Controls access to <job-group>/<job-name>"

  • DC/OS service tasks and logs:

    1. Grant the permission to a user (<user-name>).

      1. dcos security org users grant <user-name> adminrouter:ops:mesos full --description "Grants access to the Mesos master API/UI and task details"
      2. dcos security org users grant <user-name> adminrouter:ops:slave full --description "Grants access to the Mesos agent API/UI and task details such as logs"

Strict

  • DC/OS jobs access:

    1. Grant the permission to job group (<job-group>) and job name (<job-name>).

      1. dcos security org users grant <user-name> adminrouter:service:metronome full --description "Controls access to Metronome services"
      2. dcos security org users grant <user-name> service:metronome:metronome:jobs:<job-group>/<job-name> full --description "Controls access to <job-group>/<job-name>"

  • DC/OS service tasks and logs:

    1. Grant the permission to the user (<user-name>) and group (<job-group>).

      1. dcos security org users grant <user-name> adminrouter:ops:mesos full --description "Grants access to the Mesos master API/UI and task details"
      2. dcos security org users grant <user-name> adminrouter:ops:slave full --description "Grants access to the Mesos agent API/UI and task details such as logs"
      3. dcos security org users grant <user-name> mesos:master:framework:role:* read --description "Controls access to frameworks registered with the Mesos default role"
      4. dcos security org users grant <user-name> mesos:master:executor:app_id:/<job-group>/<job-name> read --description "Controls access to executors running inside <job-group>/<job-name>"
      5. dcos security org users grant <user-name> mesos:master:task:app_id:/<job-group>/<job-name> read --description "Controls access to tasks running inside <job-group>/<job-name>"
      6. dcos security org users grant <user-name> mesos:agent:framework:role:* read --description "Controls access to information about frameworks registered under the Mesos default role"
      7. dcos security org users grant <user-name> mesos:agent:executor:app_id:/<job-group>/<job-name> read --description "Controls access to executors running inside <job-group>/<job-name>"
      8. dcos security org users grant <user-name> mesos:agent:task:app_id:/<job-group>/<job-name> read --description "Controls access to tasks running inside <job-group>/<job-name>"
      9. dcos security org users grant <user-name> mesos:agent:sandbox:app_id:/<gid>/ read --description "Controls access to the sandboxes of <job-group>/<job-name>"