授权访问服务和组

ENTERPRISE

使用 Web 界面或 CLI 对服务实施细粒度用户访问

可以使用 DC/OS Web 界面、API 或 CLI,对服务实施细粒度用户访问 。

Marathon 权限 帮助您按照服务或服务组,限制用户对服务的访问。该部分为您介绍实现这一切的步骤。

Marathon 权限Mesos 权限 的服务名称、工作名称、服务组或作业组没有区别。因此,您的命名必须是唯一的。

前提条件:

授权访问服务

使用 DC/OS Web 界面

  1. 以具有 superuser 权限的用户身份登录数据中心操作系统 Web 界面。

    登录

    图 1. DC/OS Web 界面登录画面。

  2. 选择组织,然后选择用户

  3. 选择要授予权限的用户名或组名。

    添加 cory 权限

    图 2. 选择要授予权限的用户

  4. 权限选项卡上,单击添加权限

  5. 单击插入权限字符串以切换对话框。

  6. 权限字符串字段中复制并粘贴权限。根据您的安全模式

    添加权限

    图 3. 复制和粘贴权限字符串。

    宽容

    • DC/OS 服务访问:

      指定您的服务(<service-name>)和操作(<action>)。操作可以是 createreadupdatedeletefull。若要允许多个操作,请使用逗号分隔它们,例如: dcos:service:marathon:marathon:services:/<service-name> read,update

      1. dcos:adminrouter:service:marathon full
      2. dcos:service:marathon:marathon:services:/<service-name> <action>
    • DC/OS 服务任务和日志:

      1. dcos:adminrouter:ops:slave full
  1. ### 严格
  2. - **DC/OS 服务访问:**
  3. 指定您的服务(`<service-name>`)和操作(`<action>`)。操作可以是 `create` `read` `update``delete` `full`。若要允许多个操作,请使用逗号分隔它们,例如: `dcos:service:marathon:marathon:services:/<service-name> read,update`
  4. ```
  5. dcos:adminrouter:service:marathon full
  6. dcos:service:marathon:marathon:services:/<service-name> <action>
  7. ```
  8. - **DC/OS 服务任务和日志:**
  9. ```
  10. dcos:adminrouter:ops:slave full
  11. dcos:mesos:agent:executor:app_id:/<service-name> read
  12. dcos:mesos:agent:framework:role:slave_public read
  13. dcos:mesos:agent:sandbox:app_id:/<service-name> read
  14. dcos:mesos:agent:task:app_id:/<service-name> read
  15. dcos:mesos:master:executor:app_id:/<service-name> read
  16. dcos:mesos:master:framework:role:slave_public read
  17. dcos:mesos:master:task:app_id:/<service-name> read
  18. ```
  1. 单击 ADD PERMISSIONS,然后单击 Close

通过 CLI

前提条件:

  • 必须 安装 DC/OS CLI 并以超级用户登户身份登录。

  • 向组而不是用户授予权限,将 users grant <uid> 替换为 groups grant <gid>

宽容

  • DC/OS 服务访问:

    1. 针对特定服务 (<service-name>) 向用户授予以下权限 uid

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/<service-name> full --description "Controls access to a service or service group <service-name>"
  • DC/OS 服务任务和日志:

    1. 向用户授予以下特权 uid

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full

严格

  • DC/OS 服务访问:

    1. 针对特定服务 (<service-name>) 向用户授予以下权限 uid

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/<service-name> full --description "Controls access to a service or service group <service-name>"
  • DC/OS 服务任务和日志:

    1. 针对特定服务 (<service-name>) 向用户授予以下权限 uid

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full
      3. dcos security org users grant <uid> dcos:mesos:agent:executor:app_id:/<service-name> read --description "Controls access to executors of a service, job, service group, or job group named <service-name>"
      4. dcos security org users grant <uid> dcos:mesos:agent:framework:role:slave_public read --description "Controls access to information about frameworks registered under the slave_public role"
      5. dcos security org users grant <uid> dcos:mesos:agent:sandbox:app_id:/<service-name> read --description "Controls access to the sandbox data of a service, job, service group, or job group named <service-name>"
      6. dcos security org users grant <uid> dcos:mesos:agent:task:app_id:/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name>"
      7. dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/<service-name> read --description "Controls access to executors running inside a service, job, service group, or job group named <service-name>"
      8. dcos security org users grant <uid> dcos:mesos:master:framework:role:slave_public read --description "Controls access to frameworks registered with the slave_public role"
      9. dcos security org users grant <uid> dcos:mesos:master:task:app_id:/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name>"

授权访问服务组中的服务

通过 DC/OS Web 界面

  1. 以具有 superuser 权限的用户身份登录数据中心操作系统 Web 界面。

    登录

    图 3. DC/OS Web 界面登录画面。

  2. 选择组织,然后选择用户

  3. 选择要授予权限的用户名或组名。

    添加 cory 权限

    图 4. 选择要授予权限的用户

  4. 权限选项卡上,单击添加权限

  5. 单击插入权限字符串以切换对话框。

    添加权限

    图 5. 添加权限

  6. 权限字符串字段中复制并粘贴权限。根据您的安全模式选择权限字符串。

    宽容

    • DC/OS 服务访问:

      指定您的服务(<service-name>)、组(<gid>)和操作(<action>)。操作可以是 createreadupdatedeletefull。若要允许多个操作,请使用逗号分隔它们,例如: dcos:service:marathon:marathon:services:/<service-name> read,update

      1. dcos:adminrouter:service:marathon full
      2. dcos:service:marathon:marathon:services:/<gid>/<service-name> <action>
    • DC/OS 服务任务和日志:

      1. dcos:adminrouter:ops:mesos full
      2. dcos:adminrouter:ops:slave full
  1. ### 严格
  2. - **DC/OS 服务访问:**
  3. 指定您的服务(`<service-name>`)、组(`<gid>`)和操作(`<action>`)。操作可以是 `create` `read` `update``delete` `full`。若要允许多个操作,请使用逗号分隔它们,例如: `dcos:service:marathon:marathon:services:/<service-name> read,update`
  4. ```
  5. dcos:adminrouter:service:marathon full
  6. dcos:service:marathon:marathon:services:/<gid>/<service-name> <action>
  7. ```
  8. - **DC/OS 服务任务和日志:**
  9. ```
  10. dcos:adminrouter:ops:mesos full
  11. dcos:adminrouter:ops:slave full
  12. dcos:mesos:agent:executor:app_id:/<gid>/<service-name> read
  13. dcos:mesos:agent:framework:role:slave_public read
  14. dcos:mesos:agent:sandbox:app_id:/<gid>/<service-name> read
  15. dcos:mesos:agent:task:app_id:/<gid>/<service-name> read
  16. dcos:mesos:master:executor:app_id:/<gid>/<service-name> read
  17. dcos:mesos:master:framework:role:slave_public read
  18. dcos:mesos:master:task:app_id:/<gid>/<service-name> read
  19. ```
  1. 单击 ADD PERMISSIONS,然后单击 Close

通过 CLI

前提条件:

提示:

  • 向组而不是用户授予权限,将 users grant <uid> 替换为 groups grant <gid>

宽容

  • DC/OS 服务访问:

    1. 针对特定服务 (<service-name>) 向用户授予以下权限 uid

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/group/<service-name> full --description "Controls access to a service or service group <service-name> inside a group called group"
  • DC/OS 服务任务和日志:

    1. 向用户授予以下特权 uid

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full

严格

  • DC/OS 服务访问:

    1. 向用户授予以下特权 uid

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/group/<service-name> full --description "Controls access to a service or service group <service-name> inside a group called group"
  • DC/OS 服务任务和日志:

    1. 针对特定服务 (<service-name>) 向用户授予以下权限 uid

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full
      3. dcos security org users grant <uid> dcos:mesos:agent:executor:app_id:/group/<service-name> read --description "Controls access to executors of a service, job, service group, or job group named <service-name> inside the group group"
      4. dcos security org users grant <uid> dcos:mesos:agent:framework:role:slave_public read --description "Controls access to information about frameworks registered under the slave_public role"
      5. dcos security org users grant <uid> dcos:mesos:agent:sandbox:app_id:/group/<service-name> read --description "Controls access to the sandbox data of a service, job, service group, or job group named <service-name> inside the group group"
      6. dcos security org users grant <uid> dcos:mesos:agent:task:app_id:/group/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name> inside the group group"
      7. dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/group/<service-name> read --description "Controls access to executors running inside a service, job, service group, or job group named <service-name>"
      8. dcos security org users grant <uid> dcos:mesos:master:framework:role:slave_public read --description "Controls access to frameworks registered with the slave_public role"
      9. dcos security org users grant <uid> dcos:mesos:master:task:app_id:/group/<service-name> read --description "Controls access to tasks of a service, job, service group, or job group named <service-name>"

授予用户对服务组的访问权限

通过 DC/OS Web 界面

  1. 以具有 superuser 权限的用户身份登录数据中心操作系统 Web 界面。

    登录

    图 5. DC/OS Web 界面登录画面。

  2. 选择组织,然后选择用户

  3. 选择要授予权限的用户名或组名。

    添加 cory 权限

    图 6. 选择要授予权限的用户

  4. 权限选项卡上,单击添加权限

  5. 单击插入权限字符串以切换对话框。

    添加权限

    图 7. 添加权限

  6. 权限字符串字段中复制并粘贴权限。根据您的安全模式选择权限字符串。

    宽容

    • DC/OS 组访问:

      指定您的组(<gid>)和操作(<action>)。操作可以是 createreadupdatedeletefull。若要允许多个操作,请使用逗号分隔它们,例如: dcos:service:marathon:marathon:services:/<service-name> read,update

      1. dcos:adminrouter:service:marathon full
      2. dcos:service:marathon:marathon:services:/<gid> <action>
    • 组任务和日志:

      1. dcos:adminrouter:ops:mesos full
      2. dcos:adminrouter:ops:slave full
  1. ### 严格
  2. - **DC/OS 组访问:**
  3. 指定您的组(`<gid>`)和操作(`<action>`)。操作可以是 `create` `read` `update``delete` `full`。若要允许多个操作,请使用逗号分隔它们,例如: `dcos:service:marathon:marathon:services:/<service-name> read,update`
  4. ```
  5. dcos:adminrouter:service:marathon full
  6. dcos:service:marathon:marathon:services:/<gid> <action>
  7. ```
  8. - **组任务和日志:**
  9. ```
  10. dcos:adminrouter:ops:mesos full
  11. dcos:adminrouter:ops:slave full
  12. dcos:mesos:agent:executor:app_id:/<gid> read
  13. dcos:mesos:agent:framework:role:slave_public read
  14. dcos:mesos:agent:sandbox:app_id:/<gid> read
  15. dcos:mesos:agent:task:app_id:/<gid> read
  16. dcos:mesos:master:executor:app_id:/<gid> read
  17. dcos:mesos:master:framework:role:slave_public read
  18. dcos:mesos:master:task:app_id:/<gid> read
  19. ```
  1. 单击 ADD PERMISSIONS,然后单击 Close

通过 CLI

前提条件:

提示:

  • 向组而不是用户授予权限,将 users grant <uid> 替换为 groups grant <gid>

宽容

  • DC/OS 组访问:

    1. 向用户授予以下特权 uid

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/group full --description "Controls access to a service, job, service group, or job group named group"
  • 组任务和日志:

    1. 向用户授予以下特权 uid

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full

严格

  • DC/OS 组访问:

    1. 向用户授予以下特权 uid

      1. dcos security org users grant <uid> dcos:adminrouter:service:marathon full
      2. dcos security org users grant <uid> dcos:service:marathon:marathon:services:/group full --description "Controls access to a service, job, service group, or job group named group"
  • 组任务和日志:

    1. 向用户授予以下特权 uid

      1. dcos security org users grant <uid> dcos:adminrouter:ops:mesos full
      2. dcos security org users grant <uid> dcos:adminrouter:ops:slave full
      3. dcos security org users grant <uid> dcos:mesos:agent:executor:app_id:/group read --description "Controls access to executors of a service, job, service group, or job group named group"
      4. dcos security org users grant <uid> dcos:mesos:agent:framework:role:slave_public read --description "Controls access to information about frameworks registered under the slave_public role"
      5. dcos security org users grant <uid> dcos:mesos:agent:sandbox:app_id:/group read --description "Controls access to the sandbox data of a service, job, service group, or job group named group"
      6. dcos security org users grant <uid> dcos:mesos:agent:task:app_id:/group read --description "Controls access to tasks of a service, job, service group, or job group named group"
      7. dcos security org users grant <uid> dcos:mesos:master:executor:app_id:/group read --description "Controls access to executors running inside a service, job, service group, or job group named group"
      8. dcos security org users grant <uid> dcos:mesos:master:framework:role:slave_public read --description "Controls access to frameworks registered with the slave_public role"
      9. dcos security org users grant <uid> dcos:mesos:master:task:app_id:/group read --description "Controls access to tasks of a service, job, service group, or job group named group"