Re: WebUI authentication in 1.0.0-rc1

Sure, it looks like this, not very imaginative. There is currently no authorization on the agents. { "permissive": false, [...] // Here is the previous ACL with actions "run_tasks" and "register_frameworks" "get_endpoints": [ { "principals

Re: WebUI authentication in 1.0.0-rc1

Benno, Would you mind providing more information on the ACL definitions that you used to gain full access to the web UI? I'm working on some more documentation for this. Also, did you have authorization enabled on the agents as well? Cheers, Greg On Wed, Jun 8, 2016 at 7:43 AM, Neil Conway wrote

Re: WebUI authentication in 1.0.0-rc1

On Wed, Jun 8, 2016 at 4:27 PM, Alexander Rojas wrote: > I think we should also think more thoroughly about the expected behaviour > when we introduce new authorizable actions (and we most certainly will). > Since things may break particularly if users set the `permissive` ACL field > to false. >

Re: WebUI authentication in 1.0.0-rc1

Maybe we can just supply a default acl template file specifying these defaults acls. Then users will have more guidance when starting to use acls. I will create a sample patch to clarify how I envision such kind of template :-). On Wed, Jun 8, 2016 at 4:27 PM, Alexander Rojas wrote: > I think we

Re: WebUI authentication in 1.0.0-rc1

I think we should also think more thoroughly about the expected behaviour when we introduce new authorizable actions (and we most certainly will). Since things may break particularly if users set the `permissive` ACL field to false. Perhaps initially, if no ACL is given for the new action we print

Re: WebUI authentication in 1.0.0-rc1

Hi Evers, Thanks for testing this out! We should have called out this change more explicitly in the changelog; I've posted a patch here to do that. Adding documentation with guidance on how to set ACLs to accomplish particular tasks (i.e., full use of the web

Re: WebUI authentication in 1.0.0-rc1

Hi, thanks for the pointer. For people having the same problem, it seems that you have to actually provide six new ACL rules to restore the previous behaviour: get_endpoints, view_frameworks, view_tasks, view_executors, access_sandboxes, and access_mesos_logs. On 03.06.2016 21:59, Michael Park w

Re: WebUI authentication in 1.0.0-rc1

Hello, I'm not exactly sure about whether the behavior is undesired or not. But I think the ACL that you're missing is `GetEndpoint`: https://github.com/apache/mesos/blob/master/include/mesos/authorizer/acls.proto#L183-L190 Hope that helps, MPark On 3 June 2016 at 12:36, Evers Benno wrote: >

WebUI authentication in 1.0.0-rc1

I just tried building and running the 1.0.0-rc1, and it seems that the web UI is broken due to /metrics/snapshot returning a 403. (There's a popup continously displaying "Failed to connect to mesos-master.example.org:5050!" I'm running mesos-master with options `--no-authenticate_http --acls={"pe