Re: WebUI authentication in 1.0.0-rc1

2016-06-10 Thread Evers Benno
Sure, it looks like this, not very imaginative. There is currently no authorization on the agents. { "permissive": false, [...] // Here is the previous ACL with actions "run_tasks" and "register_frameworks" "get_endpoints": [ {

Re: WebUI authentication in 1.0.0-rc1

2016-06-09 Thread Greg Mann
Benno, Would you mind providing more information on the ACL definitions that you used to gain full access to the web UI? I'm working on some more documentation for this. Also, did you have authorization enabled on the agents as well? Cheers, Greg On Wed, Jun 8, 2016 at 7:43 AM, Neil Conway

Re: WebUI authentication in 1.0.0-rc1

2016-06-08 Thread Neil Conway
On Wed, Jun 8, 2016 at 4:27 PM, Alexander Rojas wrote: > I think we should also think more thoroughly about the expected behaviour > when we introduce new authorizable actions (and we most certainly will). > Since things may break particularly if users set the

Re: WebUI authentication in 1.0.0-rc1

2016-06-08 Thread Jörg Schad
Maybe we can just supply a default acl template file specifying these defaults acls. Then users will have more guidance when starting to use acls. I will create a sample patch to clarify how I envision such kind of template :-). On Wed, Jun 8, 2016 at 4:27 PM, Alexander Rojas

Re: WebUI authentication in 1.0.0-rc1

2016-06-08 Thread Alexander Rojas
I think we should also think more thoroughly about the expected behaviour when we introduce new authorizable actions (and we most certainly will). Since things may break particularly if users set the `permissive` ACL field to false. Perhaps initially, if no ACL is given for the new action we

Re: WebUI authentication in 1.0.0-rc1

2016-06-06 Thread Evers Benno
Hi, thanks for the pointer. For people having the same problem, it seems that you have to actually provide six new ACL rules to restore the previous behaviour: get_endpoints, view_frameworks, view_tasks, view_executors, access_sandboxes, and access_mesos_logs. On 03.06.2016 21:59, Michael Park

Re: WebUI authentication in 1.0.0-rc1

2016-06-03 Thread Michael Park
Hello, I'm not exactly sure about whether the behavior is undesired or not. But I think the ACL that you're missing is `GetEndpoint`: https://github.com/apache/mesos/blob/master/include/mesos/authorizer/acls.proto#L183-L190 Hope that helps, MPark On 3 June 2016 at 12:36, Evers Benno

WebUI authentication in 1.0.0-rc1

2016-06-03 Thread Evers Benno
I just tried building and running the 1.0.0-rc1, and it seems that the web UI is broken due to /metrics/snapshot returning a 403. (There's a popup continously displaying "Failed to connect to mesos-master.example.org:5050!" I'm running mesos-master with options `--no-authenticate_http