Restricting Access to DC/OS Service Groups

ENTERPRISE

Using the DC/OS UI to achieve multi-tenancy in permissive mode

In this section you will see how to use the DC/OS UI to achieve multi-tenancy in permissive mode.

This tutorial demonstrates how to implement user permissions for DC/OS services in the permissive security mode. When you are done you will have multi-tenancy by using DC/OS permissions.

Prerequisites:

Create users and groups

  1. Create service groups from the Services > Services > Create Group.

    Services Create Group

    Figure 1. Create Group page

    In this example a group called prod-a and a group called prod-b are created. After the groups are created you should see two folders. This is where you will deploy services for the user groups and set the permissions for each unit.

    Group folders

    Figure 2. New groups folders

  2. Create your users and groups and define the required permissions for each group.

    1. Select Organization > Users and create a new user. In this example, two users are created (Cory and Nick).

      Create user Cory

      Figure 3. Creating a new user

      When you are finished, you should see the two users.

      All users

      Figure 4. New users in Users page

      Next we will create the groups and assign permissions to the DC/OS services.

    2. Create user groups from the Organization > Groups.

    3. Select New Group. In this example, two groups are created:

      • prod-a-group for managing the DC/OS services for user Cory.
      • prod-b-group for managing the DC/OS services for user Nick.

      prod-a group

      Figure 5. Creating a new group

Define the permissions

  1. Select Organization > Groups.

  2. Select the prod-a-group and select ADD PERMISSION. In this example, permissions are assigned to prod-a to allow users to create their own services!

  3. Select the INSERT PERMISSION STRING toggle to enter using the string format. Strings are case sensitive.

    All of the required permissions for each group are added here. These permissions will allow users to have access to the DC/OS cluster and deploy their own services. These permissions will also restrict each group so that they can only see their own DC/OS services.

  4. Add each of these permissions for the prod-a-group and click Close.

    1. dcos:adminrouter:service:marathon full
    2. dcos:adminrouter:service:nginx full
    3. dcos:service:marathon:marathon:services:/prod-a full
    4. dcos:adminrouter:ops:slave full
    5. dcos:adminrouter:ops:mesos full
    6. dcos:adminrouter:package full

    prod-a-group

    Figure 6. Adding permissions for prod-a-group

    Here is what the permissions view should look like after adding:

    prod-a-group

    Figure 7. Group permissions added

  5. Add each of these permissions for the prod-b-group and click Close.

    1. dcos:adminrouter:service:marathon full
    2. dcos:adminrouter:service:nginx full
    3. dcos:service:marathon:marathon:services:/prod-b full
    4. dcos:adminrouter:ops:slave full
    5. dcos:adminrouter:ops:mesos full
    6. dcos:adminrouter:package full

    Now that the permissions are assigned to groups, you can add users to the groups to inherit the permissions.

  6. Select Organization > Users and select Cory.

  7. Select Group Membership and then type prod-a-group in the search box, then click to select.

    prod-a-group

    Figure 8. Add user to group

  8. Select Organization > Users and select Nick.

  9. Select Group Membership and then type prod-b-group in the search box, then click to select.

Log in to the DC/OS UI as user

  1. Log in as Cory to the DC/OS UI. You can see that user Cory only has access to the Services and Catalog tabs. Also, Cory can only see the prod-a services.

prod-a-group

Figure 9. Restricted view

NOTE: To log out of the current user, click on the user name at the top right and select Sign Out.

We will deploy an NGINX service to prod-a-group.

  1. Select Services > Services and the click the plus sign (+) to deploy a service.

  2. Select JSON Configuration and paste in the following app definition:

    1. {
    2. "id": "/prod-a/nginx",
    3. "cmd": "rm -rf /usr/share/nginx/html && ln -s /mnt/mesos/sandbox/hello-nginx-master/ /usr/share/nginx/html && nginx -g 'daemon off;'",
    4. "instances": 1,
    5. "cpus": 1,
    6. "mem": 1024,
    7. "disk": 0,
    8. "gpus": 0,
    9. "fetch": [
    10. {
    11. "uri": "https://github.com/mesosphere/hello-nginx/archive/master.zip",
    12. "extract": true,
    13. "executable": false,
    14. "cache": false
    15. }
    16. ],
    17. "backoffSeconds": 1,
    18. "backoffFactor": 1.15,
    19. "maxLaunchDelaySeconds": 300,
    20. "container": {
    21. "type": "DOCKER",
    22. "docker": {
    23. "image": "nginx:1.8.1",
    24. "network": "BRIDGE",
    25. "portMappings": [
    26. {
    27. "hostPort": 0,
    28. "containerPort": 80,
    29. "protocol": "tcp",
    30. "servicePort": 10000
    31. },
    32. {
    33. "hostPort": 0,
    34. "containerPort": 443,
    35. "protocol": "tcp",
    36. "servicePort": 10001
    37. }
    38. ],
    39. "privileged": false,
    40. "forcePullImage": false
    41. }
    42. },
    43. "healthChecks": [
    44. {
    45. "gracePeriodSeconds": 300,
    46. "intervalSeconds": 60,
    47. "timeoutSeconds": 20,
    48. "maxConsecutiveFailures": 3,
    49. "protocol": "COMMAND",
    50. "command": {
    51. "value": "service nginx status | grep -q 'nginx is running.'"
    52. }
    53. }
    54. ],
    55. "upgradeStrategy": {
    56. "minimumHealthCapacity": 1,
    57. "maximumOverCapacity": 1
    58. },
    59. "unreachableStrategy": {
    60. "inactiveAfterSeconds": 900,
    61. "expungeAfterSeconds": 604800
    62. },
    63. "killSelection": "youngest_first",
    64. "acceptedResourceRoles": [
    65. "*"
    66. ],
    67. "requirePorts": false,
    68. "labels": {
    69. "DCOS_PACKAGE_RELEASE": "1",
    70. "DCOS_SERVICE_SCHEME": "http",
    71. "DCOS_PACKAGE_SOURCE": "https://universe.mesosphere.com/repo",
    72. "DCOS_PACKAGE_METADATA": "eyJwYWNrYWdpbmdWZXJzaW9uIjoiMi4wIiwibmFtZSI6Im5naW54IiwidmVyc2lvbiI6IjEuOC4xIiwibWFpbnRhaW5lciI6InN1cHBvcnRAbmdpbnguY29tIiwiZGVzY3JpcHRpb24iOiJOZ2lueCBwYWNrYWdlIiwidGFncyI6WyJwcm94eSIsIndlYi1zZXJ2ZXIiLCJjYWNoZSJdLCJzY20iOiJodHRwOi8vaGcubmdpbngub3JnL25naW54LyIsInByZUluc3RhbGxOb3RlcyI6IlByZXBhcmluZyB0byBpbnN0YWxsIG5naW54LiIsInBvc3RJbnN0YWxsTm90ZXMiOiJOZ2lueCBoYXMgYmVlbiBpbnN0YWxsZWQuIiwicG9zdFVuaW5zdGFsbE5vdGVzIjoiTmdpbnggd2FzIHVuaW5zdGFsbGVkIHN1Y2Nlc3NmdWxseS4iLCJsaWNlbnNlcyI6W3sibmFtZSI6IkJTRCBsaWtlIiwidXJsIjoiaHR0cDovL25naW54Lm9yZy9MSUNFTlNFIn1dLCJpbWFnZXMiOnsiaWNvbi1zbWFsbCI6Imh0dHBzOi8vcGJzLnR3aW1nLmNvbS9wcm9maWxlX2ltYWdlcy81Njc3NzQ4NDQzMjI3MTM2MDAvdFlvVmp1MzEucG5nIiwiaWNvbi1tZWRpdW0iOiJodHRwczovL3Bicy50d2ltZy5jb20vcHJvZmlsZV9pbWFnZXMvNTY3Nzc0ODQ0MzIyNzEzNjAwL3RZb1ZqdTMxLnBuZyIsImljb24tbGFyZ2UiOiJodHRwczovL3Bicy50d2ltZy5jb20vcHJvZmlsZV9pbWFnZXMvNTY3Nzc0ODQ0MzIyNzEzNjAwL3RZb1ZqdTMxLnBuZyJ9fQ==",
    73. "DCOS_PACKAGE_REGISTRY_VERSION": "2.0",
    74. "DCOS_SERVICE_NAME": "nginx",
    75. "DCOS_SERVICE_PORT_INDEX": "0",
    76. "DCOS_PACKAGE_VERSION": "1.8.1",
    77. "DCOS_PACKAGE_NAME": "nginx",
    78. "DCOS_PACKAGE_IS_FRAMEWORK": "false"
    79. }
    80. }

    JSON view

    Figure 10. View of JSON file

  1. Click REVIEW & RUN and then RUN SERVICE.

  2. Repeat the previous steps for Nick. Be sure to specify "id": "/prod-b/nginx", for example:

    1. {
    2. "id": "/prod-b/nginx",
    3. "cmd": "rm -rf /usr/share/nginx/html && ln -s /mnt/mesos/sandbox/hello-nginx-master/ /usr/share/nginx/html && nginx -g 'daemon off;'",
    4. "instances": 1,
    5. "cpus": 1,
    6. "mem": 1024,
    7. "disk": 0,
    8. "gpus": 0,
    9. "fetch": [
    10. ...
    11. }
  3. While logged in as Cory or Nick, click on the NGINX launch icon to view the confirmation message.

    NGINX

    Figure 11. Confirmation screen

Next we will look at the Services tab from the superuser view.

DC/OS UI: Monitor user accounts

  1. Log out of the current user and then back in as a user with superuser permission. You will see that both services are running in the prod-a and prod-b-groups.

    prod-a-group

    Figure 12. Superuser view