Granting Access to dcos task exec

ENTERPRISE

Granting access for debugging

You can grant users access to containers for debugging sessions.

Prerequisites:

All CLI commands can also be executed via the IAM API. You can see more detail about the dcos security org users commands in the CLI Command Reference section.

Permissive

Grant the following privileges to the user uid.

  1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
  2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full

Strict

With strict security mode, you can control whether a user can launch an interactive debugging session or not. You can also restrict which containers a user can access for debugging. This ensures that users cannot execute arbitrary commands in containers that do not pertain to them.

Granting non-pseudo terminal debug access

Grant the following privileges to the user uid.

  1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
  2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full
  3. dcos security org users grant <uid> dcos:mesos:agent:container:app_id:/test-group read --description "Grants a user permission to attach to the input of any process running inside of a container in test-group."
  4. dcos security org users grant <uid> dcos:mesos:agent:nested_container_session:app_id:/test-group create --description "Grants a user permission to attach to the input of any process running inside of a container in test-group."
  5. dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/test-group read --description "Controls access to executors running inside test-group"
  6. dcos security org users grant <uid> dcos:mesos:master:framework:role:* read --description "Controls access to frameworks registered with the Mesos default role"
  7. dcos security org users grant <uid> dcos:mesos:master:task:app_id:/test-group read --description "Controls access to tasks running inside test-group"

Granting pseudo terminal debug access

Grant the following privileges to the user uid.

  1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
  2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full
  3. dcos security org users grant <uid> dcos:mesos:agent:container:app_id:/test-group read --description "Grants a user permission to attach to the input of any process running inside of a container in test-group."
  4. dcos security org users grant <uid> dcos:mesos:agent:container:app_id:/test-group update
  5. dcos security org users grant <uid> dcos:mesos:agent:nested_container_session:app_id:/test-group create --description "Grants a user permission to launch a container inside a container in test-group."
  6. dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/test-group read --description "Controls access to executors running inside test-group"
  7. dcos security org users grant <uid> dcos:mesos:master:framework:role:* read --description "Controls access to frameworks registered with the Mesos default role"
  8. dcos security org users grant <uid> dcos:mesos:master:task:app_id:/test-group read --description "Controls access to tasks running inside test-group"