Hi Warrent, I am not sure exactly what do you want to do but the basic secure configuration of a mesos cluster would require three things (you can add secrets support and isolators):
1. Enabling TLS: This is control by envinronment variables and you can find the whole documentation here [1]. Note that TLS is an all or nothing, so you either enable it in your masters and agents and schedulers or you disable it everywhere. And only the communication between mesos components is protected, so if you have a protocol to communicate your tasks with your scheduler, that is own your own. 2. Enabling Authentication: Authentication support is documented here [2], and it is kind of a prerequisite for performing authorization. I would discourage you from using the `--authenticate` flag since, as far as I remember, it is deprecated. The URL describes pretty well what each flag does. 3. Enabling Authorization: While authentication answers the question "do I know this user and are his credentials correct?" authorization answers "I know this user, can he perform this action?" The default authorizer is the "local" authorizer and you can enable them by setting the flags: `--authorizer=local` and `--acls=/path/to/acls.json`. The language to define ACLs is a little bit confusing but we have tried make the documentation (here [3]) as complete as we can. Avoid enabling authorization if you didn't enabled authentication, since most of the actions will be denied. I'll recommend giving a look a this talk [4] where we introduce most of the modern mesos security. I also answer mostly to the mesos slack channel for security if you have more questions there. [1] http://mesos.apache.org/documentation/latest/ssl/ [2] http://mesos.apache.org/documentation/latest/authentication/ [3] http://mesos.apache.org/documentation/latest/authorization/ [4] https://www.youtube.com/watch?v=-yWHuxXwuAA&index=20&list=PLGeM09tlguZQVL7ZsfNMffX9h1rGNVqnC On Fri, Feb 23, 2018 at 9:33 PM, Benjamin Mahler <[email protected]> wrote: > +Alexander > > On Mon, Feb 19, 2018 at 11:00 AM Mclain, Warren <[email protected]> > wrote: > >> I am not finding any documentation that tells you how to actually >> implement the following on the mesos masters and agents. >> >> >> >> authenticate=true >> >> authenticate_http_readonly=true >> >> authenticate_http_readwrite=true >> >> >> >> there is a ton of “official” mesos docs but nothing tells you how to >> actually make it work. >> >> >> >> We are using the open source version and trying to secure the basic >> infrastructure so looking for anyone who has actually been able to make >> this work and how. >> >> >> >> We are running pretty much the latest versions of everything. >> >> >> >> If anyone has some pointers (other than Mesos.org docs), please contact >> me directly. >> >> >> >> Thanks. >> >> >> >> ___________________________________ >> >> Warren McLain >> >> Enterprise Engineering Services >> >> IEI Foundation Engineering - Compute, Optum Technology >> >> [email protected] Office: 763-744-3107 <(763)%20744-3107> >> >> >> >> >> This e-mail, including attachments, may include confidential and/or >> proprietary information, and may be used only by the person or entity >> to which it is addressed. If the reader of this e-mail is not the intended >> recipient or his or her authorized agent, the reader is hereby notified >> that any dissemination, distribution or copying of this e-mail is >> prohibited. If you have received this e-mail in error, please notify the >> sender by replying to this message and delete this e-mail immediately. >> >
