我的书签
添加书签
移除书签授权访问服务和组
ENTERPRISE
使用 Web 界面或 CLI 对服务实施细粒度用户访问
可以使用 DC/OS Web 界面、API 或 CLI,对服务实施细粒度用户访问 。
Marathon 权限 帮助您按照服务或服务组,限制用户对服务的访问。该部分为您介绍实现这一切的步骤。
Marathon 权限 和 Mesos 权限 不区分服务名称、工作名称、服务组或作业组的区别。因此,您的命名必须是唯一的。
先决条件:
- 您必须安装 DC/OS CLI 并以超级用户身份登录。
- 用于分配权限的用户帐户。
授权访问服务
通过 DC/OS Web 界面
以具有
superuser权限的用户身份登录 DC/OS Web 界面。
图 1. DC/OS Web 界面登录画面。
选择 Organization 并选择 Users 或 Groups。
选择要授予权限的用户名或组名。
图 2. 选择要授予权限的用户
从 Permissions 选项卡中,单击 ADD PERMISSION。
单击 INSERT PERMISSION STRING 以切换对话框。
在 Permissions Strings 字段中复制并粘贴权限。根据您的安全模式选择权限字符串。
图 3. 复制和粘贴权限字符串。
已禁用
此模式不提供细粒度控制。
宽容
DC/OS 服务访问:
指定您的服务 (
<service-name>) 和行动 (<action>). 行动可以是创建,读取,更新,删除, or完整. 例如,要允许多个操作,请使用逗号分隔它们:dcos:service:marathon:marathon:services:/<service-name> read,update。dcos:adminrouter:service:marathon fulldcos:service:marathon:marathon:services:/<service-name> <action>
DC/OS 服务任务和日志:
dcos:adminrouter:ops:slave full
严格
DC/OS 服务访问:
指定您的服务 (
<service-name>) 和行动 (<action>). 行动可以是创建,读取,更新,删除, or完整. 例如,要允许多个操作,请使用逗号分隔它们:dcos:service:marathon:marathon:services:/<service-name> read,update。dcos:adminrouter:service:marathon fulldcos:service:marathon:marathon:services:/<service-name> <action>
DC/OS 服务任务和日志:
dcos:adminrouter:ops:slave fulldcos:mesos:agent:executor:app_id:/<service-name> readdcos:mesos:agent:framework:role:slave_public readdcos:mesos:agent:sandbox:app_id:/<service-name> readdcos:mesos:agent:task:app_id:/<service-name> readdcos:mesos:master:executor:app_id:/<service-name> readdcos:mesos:master:framework:role:slave_public readdcos:mesos:master:task:app_id:/<service-name> read
- 单击 ADD PERMISSIONS,然后单击 Close。
通过 CLI
先决条件:
您必须安装 DC/OS CLI 并以超级用户身份登录。
向组而不是用户授予权限,用‘组授予’
with替换‘用户授予’ `.
已禁用
此模式不提供细粒度控制。
宽容
- DC/OS 服务访问:
针对特定服务向用户授予以下权限 uid (<service-name>).
dcos security org users grant <uid> dcos:adminrouter:service:marathon fulldcos security org users grant <uid> dcos:service:marathon:marathon:services:/<service-name> full --description "Controls access to a service or service group <service-name>"
- DC/OS 服务任务和日志:
向用户授予以下权限 uid。
dcos security org users grant <uid> dcos:adminrouter:ops:mesos fulldcos security org users grant <uid> dcos:adminrouter:ops:slave full
严格
- DC/OS 服务访问:
针对特定服务向用户授予以下权限 uid (<service-name>).
dcos security org users grant <uid> dcos:adminrouter:service:marathon fulldcos security org users grant <uid> dcos:service:marathon:marathon:services:/<service-name> full --description "Controls access to a service or service group <service-name>"
- DC/OS 服务任务和日志:
针对特定服务向用户授予以下权限 uid (<service-name>).
dcos security org users grant <uid> dcos:adminrouter:ops:mesos fulldcos security org users grant <uid> dcos:adminrouter:ops:slave fulldcos security org users grant <uid> dcos:mesos:agent:executor:app_id:/<service-name> read --description "Controls access to executors of a service, job, service group, or job group named <service-name>"dcos security org users grant <uid> dcos:mesos:agent:framework:role:slave_public read --description "Controls access to information about frameworks registered under the slave_public role"dcos security org users grant <uid> dcos:mesos:agent:sandbox:app_id:/<service-name> read --description "Controls access to the sandbox data of a service, job, service group, or job group named <service-name>"dcos security org users grant <uid> dcos:mesos:agent:task:app_id:/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name>"dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/<service-name> read --description "Controls access to executors running inside a service, job, service group, or job group named <service-name>"dcos security org users grant <uid> dcos:mesos:master:framework:role:slave_public read --description "Controls access to frameworks registered with the slave_public role"dcos security org users grant <uid> dcos:mesos:master:task:app_id:/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name>"
授权予访问服务组中的服务
通过 DC/OS Web 界面
以具有
superuser权限的用户身份登录 DC/OS Web 界面。图 3. DC/OS Web 界面登录
选择 Organization 并选择 Users 或 Groups。
选择要授予权限的用户名或组名。
图 4. 选择要授予权限的用户
从 Permissions 选项卡中,单击 ADD PERMISSION。
单击 INSERT PERMISSION STRING 以切换对话框。
图 5. 添加权限
在 Permissions Strings 字段中复制并粘贴权限。根据您的[安全模式]选择权限字符串(/cn/1.11/security/ent/#security-modes)。
已禁用
此模式不提供细粒度控制。
宽容
DC/OS 服务访问:
指定您的服务 (
<service-name>), group (<gid>), 和行动 (<action>). 行动可以是创建,读取,更新,删除, or完整. 例如,要允许多个操作,请使用逗号分隔它们:dcos:service:marathon:marathon:services:/<service-name> read,update。dcos:adminrouter:service:marathon fulldcos:service:marathon:marathon:services:/<gid>/<service-name> <action>
DC/OS 服务任务和日志:
dcos:adminrouter:ops:mesos fulldcos:adminrouter:ops:slave full
严格
DC/OS 服务访问:
指定您的服务 (
<service-name>), group (<gid>), 和行动 (<action>). 行动可以是创建,读取,更新,删除, or完整. 例如,要允许多个操作,请使用逗号分隔它们:dcos:service:marathon:marathon:services:/<service-name> read,update。dcos:adminrouter:service:marathon fulldcos:service:marathon:marathon:services:/<gid>/<service-name> <action>
DC/OS 服务任务和日志:
dcos:adminrouter:ops:mesos fulldcos:adminrouter:ops:slave fulldcos:mesos:agent:executor:app_id:/<gid>/<service-name> readdcos:mesos:agent:framework:role:slave_public readdcos:mesos:agent:sandbox:app_id:/<gid>/<service-name> readdcos:mesos:agent:task:app_id:/<gid>/<service-name> readdcos:mesos:master:executor:app_id:/<gid>/<service-name> readdcos:mesos:master:framework:role:slave_public readdcos:mesos:master:task:app_id:/<gid>/<service-name> read
- 单击 ADD PERMISSIONS,然后单击 Close。
通过 CLI
先决条件:
- 您必须安装 DC/OS CLI 并以超级用户身份登录。
提示:
- 向组而不是用户授予权限,用‘组授予’
with替换‘用户授予’ `.
已禁用
此模式不提供细粒度控制。
宽容
- DC/OS 服务访问:
针对特定服务向用户授予以下权限 uid (<service-name>).
dcos security org users grant <uid> dcos:adminrouter:service:marathon fulldcos security org users grant <uid> dcos:service:marathon:marathon:services:/group/<service-name> full --description "Controls access to a service or service group <service-name> inside a group called group"
- DC/OS 服务任务和日志:
向用户授予以下权限 uid。
dcos security org users grant <uid> dcos:adminrouter:ops:mesos fulldcos security org users grant <uid> dcos:adminrouter:ops:slave full
严格
- DC/OS 服务访问:
向用户授予以下权限 uid。
dcos security org users grant <uid> dcos:adminrouter:service:marathon fulldcos security org users grant <uid> dcos:service:marathon:marathon:services:/group/<service-name> full --description "Controls access to a service or service group <service-name> inside a group called group"
- DC/OS 服务任务和日志:
针对特定服务向用户授予以下权限 uid (<service-name>).
dcos security org users grant <uid> dcos:adminrouter:ops:mesos fulldcos security org users grant <uid> dcos:adminrouter:ops:slave fulldcos security org users grant <uid> dcos:mesos:agent:executor:app_id:/group/<service-name> read --description "Controls access to executors of a service, job, service group, or job group named <service-name> inside the group group"dcos security org users grant <uid> dcos:mesos:agent:framework:role:slave_public read --description "Controls access to information about frameworks registered under the slave_public role"dcos security org users grant <uid> dcos:mesos:agent:sandbox:app_id:/group/<service-name> read --description "Controls access to the sandbox data of a service, job, service group, or job group named <service-name> inside the group group"dcos security org users grant <uid> dcos:mesos:agent:task:app_id:/group/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name> inside the group group"dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/group/<service-name> read --description "Controls access to executors running inside a service, job, service group, or job group named <service-name>"dcos security org users grant <uid> dcos:mesos:master:framework:role:slave_public read --description "Controls access to frameworks registered with the slave_public role"dcos security org users grant <uid> dcos:mesos:master:task:app_id:/group/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name>"
授予用户对服务组的访问权限
通过 DC/OS Web 界面
以具有
superuser权限的用户身份登录 DC/OS Web 界面。图 6. DC/OS Web 界面登录画面。
选择 Organization 并选择 Users 或 Groups。
选择要授予权限的用户名或组名。
图 7. 选择要授予权限的用户
从 Permissions 选项卡中,单击 ADD PERMISSION。
单击 INSERT PERMISSION STRING 以切换对话框。
图 8. 添加权限
在 Permissions Strings 字段中复制并粘贴权限。根据您的安全模式选择权限字符串。
已禁用
此模式不提供细粒度控制。
宽容
DC/OS 组访问:
指定您的组 (
<gid>) 和行动 (<action>). 行动可以是创建,读取,更新,删除, or完整. 例如,要允许多个操作,请使用逗号分隔它们:dcos:service:marathon:marathon:services:/<service-name> read,update。dcos:adminrouter:service:marathon fulldcos:service:marathon:marathon:services:/<gid> <action>
组任务和日志:
dcos:adminrouter:ops:mesos fulldcos:adminrouter:ops:slave full
严格
DC/OS 组访问:
指定您的组 (
<gid>) 和行动 (<action>). 行动可以是创建,读取,更新,删除, or完整. 例如,要允许多个操作,请使用逗号分隔它们:dcos:service:marathon:marathon:services:/<service-name> read,update。dcos:adminrouter:service:marathon fulldcos:service:marathon:marathon:services:/<gid> <action>
组任务和日志:
dcos:adminrouter:ops:mesos fulldcos:adminrouter:ops:slave fulldcos:mesos:agent:executor:app_id:/<gid> readdcos:mesos:agent:framework:role:slave_public readdcos:mesos:agent:sandbox:app_id:/<gid> readdcos:mesos:agent:task:app_id:/<gid> readdcos:mesos:master:executor:app_id:/<gid> readdcos:mesos:master:framework:role:slave_public readdcos:mesos:master:task:app_id:/<gid> read
单击 ADD PERMISSIONS,然后单击 Close。
通过 CLI
先决条件:
- 您必须安装 DC/OS CLI 并以超级用户身份登录。
提示:
- 向组而不是用户授予权限,用‘组授予’
with替换‘用户授予’ `.
已禁用
此模式不提供细粒度控制。
宽容
DC/OS 组访问:
向用户授予以下权限
uid。dcos security org users grant <uid> dcos:adminrouter:service:marathon fulldcos security org users grant <uid> dcos:service:marathon:marathon:services:/group full --description "Controls access to a service, job, service group, or job group named group"
组任务和日志:
向用户授予以下权限
uid。dcos security org users grant <uid> dcos:adminrouter:ops:mesos fulldcos security org users grant <uid> dcos:adminrouter:ops:slave full
严格
DC/OS 组访问:
向用户授予以下权限
uid。dcos security org users grant <uid> dcos:adminrouter:service:marathon fulldcos security org users grant <uid> dcos:service:marathon:marathon:services:/group full --description "Controls access to a service, job, service group, or job group named group"
组任务和日志:
向用户授予以下权限
uid。dcos security org users grant <uid> dcos:adminrouter:ops:mesos fulldcos security org users grant <uid> dcos:adminrouter:ops:slave fulldcos security org users grant <uid> dcos:mesos:agent:executor:app_id:/group read --description "Controls access to executors of a service, job, service group, or job group named group"dcos security org users grant <uid> dcos:mesos:agent:framework:role:slave_public read --description "Controls access to information about frameworks registered under the slave_public role"dcos security org users grant <uid> dcos:mesos:agent:sandbox:app_id:/group read --description "Controls access to the sandbox data of a service, job, service group, or job group named group"dcos security org users grant <uid> dcos:mesos:agent:task:app_id:/group read --description "Controls access to tasks of a service, job, service group, or job group named group"dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/group read --description "Controls access to executors running inside a service, job, service group, or job group named group"dcos security org users grant <uid> dcos:mesos:master:framework:role:slave_public read --description "Controls access to frameworks registered with the slave_public role"dcos security org users grant <uid> dcos:mesos:master:task:app_id:/group read --description "Controls access to tasks of a service, job, service group, or job group named group"
