Granting Access to Services and Groups

ENTERPRISE

Implementing fine-grained user access to services using the web interface or the CLI

You can implement fine-grained user access to services using either the DC/OS web interface or the API, or the CLI.

The Marathon permissions allow you to restrict a user’s access to services on either a per service or a per service group basis. This section walks you through the steps to accomplish this.

Marathon permissions and Mesos permissions do not distinguish between service names, job names, service groups, or job groups. Therefore your naming must be unique.

Prerequisites:

Granting access to a service

Using the DC/OS web interface

  1. Log into the DC/OS web interface as a user with the superuser permission.

    Login

    Figure 1. DC/OS web interface login screen

  2. Select Organization and choose Users or Groups.

  3. Select the name of the user or group to grant the permission to.

    Add permission cory

    Figure 2. Select user to grant permissions

  4. From the Permissions tab, click ADD PERMISSION.

  5. Click INSERT PERMISSION STRING to toggle the dialog.

  6. Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode.

    Add permission

    Figure 3. Copy and paste permissions string.

    Permissive

    • DC/OS service access:

      Specify your service (<service-name>) and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:marathon:services:/<service-name> read,update.

      1. dcos:adminrouter:service:marathon full
      2. dcos:service:marathon:marathon:services:/<service-name> <action>

    • DC/OS service tasks and logs:

      1. dcos:adminrouter:ops:slave full
  1. ### Strict
  3. -   **DC/OS service access:**
  5.     Specify your service (`<service-name>`) and action (`<action>`). Actions can be either `create`, `read`, `update`, `delete`, or `full`. To permit more than one operation, use a comma to separate them, for example: `dcos:service:marathon:marathon:services:/<service-name> read,update`.
  7.     ```
  8.     dcos:adminrouter:service:marathon full
  9.     dcos:service:marathon:marathon:services:/<service-name> <action>
  10.     ```
  12. -   **DC/OS service tasks and logs:**
  14.     ```
  15.     dcos:adminrouter:ops:slave full
  16.     dcos:mesos:agent:executor:app_id:/<service-name> read
  17.     dcos:mesos:agent:framework:role:slave_public read
  18.     dcos:mesos:agent:sandbox:app_id:/<service-name> read
  19.     dcos:mesos:agent:task:app_id:/<service-name> read
  20.     dcos:mesos:master:executor:app_id:/<service-name> read
  21.     dcos:mesos:master:framework:role:slave_public read
  22.     dcos:mesos:master:task:app_id:/<service-name> read       
  23.     ```
  1. Click ADD PERMISSIONS and then Close.

Via the CLI

Prerequisites:

  • You must have the DC/OS CLI installed and be logged in as a superuser.

  • To grant permissions to a group instead of a user, replace users grant <uid> with groups grant <gid>.

Permissive

  • DC/OS service access:

    1. Grant the following privileges to the user uid for a particular service (<service-name>).

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/<service-name> full --description "Controls access to a service or service group <service-name>"

  • DC/OS service tasks and logs:

    1. Grant the following privileges to the user uid.

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full

Strict

  • DC/OS service access:

    1. Grant the following privileges to the user uid for a particular service (<service-name>).

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/<service-name> full --description "Controls access to a service or service group <service-name>"

  • DC/OS service tasks and logs:

    1. Grant the following privileges to the user uid for a particular service (<service-name>).

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full
      3. dcos security org users grant <uid> dcos:mesos:agent:executor:app_id:/<service-name> read --description "Controls access to executors of a service, job, service group, or job group named <service-name>"
      4. dcos security org users grant <uid> dcos:mesos:agent:framework:role:slave_public read --description "Controls access to information about frameworks registered under the slave_public role"
      5. dcos security org users grant <uid> dcos:mesos:agent:sandbox:app_id:/<service-name> read --description "Controls access to the sandbox data of a service, job, service group, or job group named <service-name>"
      6. dcos security org users grant <uid> dcos:mesos:agent:task:app_id:/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name>"
      7. dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/<service-name> read --description "Controls access to executors running inside a service, job, service group, or job group named <service-name>"
      8. dcos security org users grant <uid> dcos:mesos:master:framework:role:slave_public read --description "Controls access to frameworks registered with the slave_public role"
      9. dcos security org users grant <uid> dcos:mesos:master:task:app_id:/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name>"

Granting access to a service in a service group

Via the DC/OS web interface

  1. Log into the DC/OS web interface as a user with the superuser permission.

    Login

    Figure 3. DC/OS web interface login screen

  2. Select Organization and choose Users or Groups.

  3. Select the name of the user or group to grant the permission to.

    Add permission cory

    Figure 4. Select user to grant permissions

  4. From the Permissions tab, click ADD PERMISSION.

  5. Click INSERT PERMISSION STRING to toggle the dialog.

    Add permission

    Figure 5. Add permission

  6. Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode.

    Permissive

    • DC/OS service access:

      Specify your service (<service-name>), group (<gid>), and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:marathon:services:/<service-name> read,update.

      1. dcos:adminrouter:service:marathon full
      2. dcos:service:marathon:marathon:services:/<gid>/<service-name> <action>

    • DC/OS service tasks and logs:

      1. dcos:adminrouter:ops:mesos full
      2. dcos:adminrouter:ops:slave full
  1. ### Strict
  3. -   **DC/OS service access:**
  5.     Specify your service (`<service-name>`), group (`<gid>`), and action (`<action>`). Actions can be either `create`, `read`, `update`, `delete`, or `full`. To permit more than one operation, use a comma to separate them, for example: `dcos:service:marathon:marathon:services:/<service-name> read,update`.
  7.     ```
  8.     dcos:adminrouter:service:marathon full
  9.     dcos:service:marathon:marathon:services:/<gid>/<service-name> <action>
  10.     ```
  12. -   **DC/OS service tasks and logs:**
  14.     ```
  15.     dcos:adminrouter:ops:mesos full
  16.     dcos:adminrouter:ops:slave full
  17.     dcos:mesos:agent:executor:app_id:/<gid>/<service-name> read
  18.     dcos:mesos:agent:framework:role:slave_public read
  19.     dcos:mesos:agent:sandbox:app_id:/<gid>/<service-name> read
  20.     dcos:mesos:agent:task:app_id:/<gid>/<service-name> read
  21.     dcos:mesos:master:executor:app_id:/<gid>/<service-name> read
  22.     dcos:mesos:master:framework:role:slave_public read
  23.     dcos:mesos:master:task:app_id:/<gid>/<service-name> read
  24.     ```
  1. Click ADD PERMISSIONS and then Close.

Via the CLI

Prerequisites:

Tips:

  • To grant permissions to a group instead of a user, replace users grant <uid> with groups grant <gid>.

Permissive

  • DC/OS service access:

    1. Grant the following privileges to the user uid for a particular service (<service-name>).

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/group/<service-name> full --description "Controls access to a service or service group <service-name> inside a group called group"

  • DC/OS service tasks and logs:

    1. Grant the following privileges to the user uid.

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full

Strict

  • DC/OS service access:

    1. Grant the following privileges to the user uid.

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/group/<service-name> full --description "Controls access to a service or service group <service-name> inside a group called group"

  • DC/OS service tasks and logs:

    1. Grant the following privileges to the user uid for a particular service (<service-name>).

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full
      3. dcos security org users grant <uid> dcos:mesos:agent:executor:app_id:/group/<service-name> read --description "Controls access to executors of a service, job, service group, or job group named <service-name> inside the group group"
      4. dcos security org users grant <uid> dcos:mesos:agent:framework:role:slave_public read --description "Controls access to information about frameworks registered under the slave_public role"
      5. dcos security org users grant <uid> dcos:mesos:agent:sandbox:app_id:/group/<service-name> read --description "Controls access to the sandbox data of a service, job, service group, or job group named <service-name> inside the group group"
      6. dcos security org users grant <uid> dcos:mesos:agent:task:app_id:/group/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name> inside the group group"
      7. dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/group/<service-name> read --description "Controls access to executors running inside a service, job, service group, or job group named <service-name>"
      8. dcos security org users grant <uid> dcos:mesos:master:framework:role:slave_public read --description "Controls access to frameworks registered with the slave_public role"
      9. dcos security org users grant <uid> dcos:mesos:master:task:app_id:/group/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name>"

Granting a user access to a service group

Via the DC/OS web interface

  1. Log into the DC/OS web interface as a user with the superuser permission.

    Login

    Figure 5. DC/OS web interface login screen

  2. Select Organization and choose Users or Groups.

  3. Select the name of the user or group to grant the permission to.

    Add permission cory

    Figure 6. Select user to grant permissions

  4. From the Permissions tab, click ADD PERMISSION.

  5. Click INSERT PERMISSION STRING to toggle the dialog.

    Add permission

    Figure 7. Add permissions

  6. Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode.

    Permissive

    • DC/OS group access:

      Specify your group (<gid>) and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:marathon:services:/<service-name> read,update.

      1. dcos:adminrouter:service:marathon full
      2. dcos:service:marathon:marathon:services:/<gid> <action>

    • Group tasks and logs:

      1. dcos:adminrouter:ops:mesos full
      2. dcos:adminrouter:ops:slave full
  1. ### Strict
  3. -   **DC/OS group access:**
  5.     Specify your group (`<gid>`) and action (`<action>`). Actions can be either `create`, `read`, `update`, `delete`, or `full`. To permit more than one operation, use a comma to separate them, for example: `dcos:service:marathon:marathon:services:/<service-name> read,update`.
  7.     ```
  8.     dcos:adminrouter:service:marathon full
  9.     dcos:service:marathon:marathon:services:/<gid> <action>
  10.     ```
  12. -   **Group tasks and logs:**
  14.     ```
  15.     dcos:adminrouter:ops:mesos full
  16.     dcos:adminrouter:ops:slave full
  17.     dcos:mesos:agent:executor:app_id:/<gid> read
  18.     dcos:mesos:agent:framework:role:slave_public read
  19.     dcos:mesos:agent:sandbox:app_id:/<gid> read
  20.     dcos:mesos:agent:task:app_id:/<gid> read
  21.     dcos:mesos:master:executor:app_id:/<gid> read
  22.     dcos:mesos:master:framework:role:slave_public read
  23.     dcos:mesos:master:task:app_id:/<gid> read
  24.     ```
  1. Click ADD PERMISSIONS and then Close.

Via the CLI

Prerequisites:

Tips:

  • To grant permissions to a group instead of a user, replace users grant <uid> with groups grant <gid>.

Permissive

  • DC/OS group access:

    1. Grant the following privileges to the user uid.

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/group full --description "Controls access to a service, job, service group, or job group named group"

  • Group tasks and logs:

    1. Grant the following privileges to the user uid.

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full

Strict

  • DC/OS group access:

    1. Grant the following privileges to the user uid.

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/group full --description "Controls access to a service, job, service group, or job group named group"

  • Group tasks and logs:

    1. Grant the following privileges to the user uid.

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full
      3. dcos security org users grant <uid> dcos:mesos:agent:executor:app_id:/group read --description "Controls access to executors of a service, job, service group, or job group named group"
      4. dcos security org users grant <uid> dcos:mesos:agent:framework:role:slave_public read --description "Controls access to information about frameworks registered under the slave_public role"
      5. dcos security org users grant <uid> dcos:mesos:agent:sandbox:app_id:/group read --description "Controls access to the sandbox data of a service, job, service group, or job group named group"
      6. dcos security org users grant <uid> dcos:mesos:agent:task:app_id:/group read --description "Controls access to tasks of a service, job, service group, or job group named group"
      7. dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/group read --description "Controls access to executors running inside a service, job, service group, or job group named group"
      8. dcos security org users grant <uid> dcos:mesos:master:framework:role:slave_public read --description "Controls access to frameworks registered with the slave_public role"
      9. dcos security org users grant <uid> dcos:mesos:master:task:app_id:/group read --description "Controls access to tasks of a service, job, service group, or job group named group"