Granting Access to the Marathon Tab
ENTERPRISE
Granting access to the Marathon Tab
You can grant users access to the Marathon Tab. By default, new users have no permissions.
Granting Access using the UI
Prerequisite:
- A DC/OS user account without the
dcos:superuser
permission.
Log into the DC/OS UI as a user with the
dcos:superuser
permission.Figure 1. Log in to UI
Select Organization and choose Users or Groups.
Select the name of the user or group to grant the permission to.
Figure 2. Select user or group to grant permissions to
From the Permissions tab, click ADD PERMISSION.
Click INSERT PERMISSION STRING to toggle the dialog.
Figure 3. Add permission
- Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode and click ADD PERMISSIONS and then Close.
Permissive
Marathon dashboard
dcos:adminrouter:service:marathon full
Launch tasks
dcos:service:marathon:marathon:services:/ full
Task details and logs
To view task details and logs, you must grant access to the Mesos UI.
Strict
Marathon dashboard
dcos:adminrouter:service:marathon full
Launch tasks
dcos:service:marathon:marathon:services:/ full
Task details and logs
To view Marathon task details and logs, you must grant access to the [Mesos UI](/mesosphere/dcos/2.1/security/ent/gui-permissions/mesos-ui/).
You can send the URL of the native Marathon UI for DC/OS to the user: http://<master-public-ip>/marathon/
.
Granting Access using the API
Prerequisites:
- You must have the DC/OS CLI installed and be logged in as a superuser.
- You must get the root cert before issuing the curl commands in this section.
Notes
- Service resources often include
/
characters that must be replaced with%252F
in curl requests, as shown in the examples below. - When using the API to manage permissions, you must create the permission before granting it. If the permission already exists, the API will return an informative message and you can continue to assign the permission.
Permissive
Marathon dashboard
Create the permission.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon \
-d '{"description":"Grants access to the Marathon UI"}'
Grant the following privileges to the user
uid
.curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon/users/<uid>/full
NOTE: To grant this permission to a group instead of a user, replace /users/"uid"
with /groups/"gid"
.
Launch tasks
Create the permission.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F \
-d '{"description":"Grants access to launch Marathon task from UI"}'
Grant the following privileges to the user
uid
.curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F/full
NOTE: To grant this permission to a group instead of a user, replace /users/"uid"
with /groups/"gid"
.
Task details and logs
To view task details and logs, you must grant access to the Mesos UI.
Strict
Marathon dashboard
Create the permission.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon \
-d '{"description":"Grants access to the Marathon UI"}'
Grant the following privileges to the user
uid
.curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon/users/<uid>/full
NOTE: To grant this permission to a group instead of a user, replace /users/"uid"
with /groups/"gid"
.
Launch tasks
Create the permission.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F \
-d '{"description":"Grants access to launch Marathon task from UI"}'
Grant the following privileges to the user
uid
.curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F/full
NOTE: To grant this permission to a group instead of a user, replace /users/"uid"
with /groups/"gid"
.
Task details and logs
To view task details and logs, you must grant access to the Mesos UI.
You can now send the URL of the native Marathon UI for DC/OS to the user: http://<master-public-ip>/marathon/
.