Hi,
I got in to a different problem when I defined permissive = false in the
acl.json. Following is the acl.json i have defined. I have defined
permissive: false above run_tasks.
{
"register_frameworks": [
{
"principals": {
"values": [
"marathon"
]
},
"roles": {
"values": [
"apps",
"dev-ops"
]
}
},
{
"principals": {
"type": "NONE"
},
"roles": {
"values": [
"marathon"
]
}
}
],
"permissive": false,
"run_tasks": [
{
"principals": {
"values": [
"marathon"
]
},
"users": {
"values": [
"root",
"devel"
]
}
},
{
"principals": {
"values": [
"marathon"
]
},
"users": {
"type": "NONE"
}
}
]
}
Without the premissive =false tag, the framework gets registered and any
role other than apps or dev-ops gets rejected by mesos-master. But when I
have the permissive=false set for run_tasks, I get the following error when
start the marathon
<mesos-master log>
I0308 14:56:51.991261 14 master.cpp:3901] Authenticating
[email protected]:9090
I0308 14:56:51.992118 14 master.cpp:3912] Using default CRAM-MD5
authenticator
I0308 14:56:51.992384 14 authenticator.hpp:166] Creating new server SASL
connection
I0308 14:56:51.993505 8 authenticator.hpp:272] Received SASL
authentication start
I0308 14:56:51.993590 8 authenticator.hpp:394] Authentication requires
more steps
I0308 14:56:51.995046 8 authenticator.hpp:300] Received SASL
authentication step
I0308 14:56:51.995201 8 authenticator.hpp:386] Authentication success
I0308 14:56:51.995379 8 master.cpp:3959] Successfully authenticated
principal 'devel' at
[email protected]:9090
I0308 14:56:51.996145 8 master.cpp:1520] Received re-registration
request from framework 20150307-044244-1778493632-5050-1-0000 (marathon) at
[email protected]:9090
I0308 14:56:51.997325 8 master.cpp:1342] Authorizing framework
principal 'devel' to receive offers for role 'apps'
I0308 14:56:51.997428 8 master.cpp:1542] Refusing re-registration of
framework 20150307-044244-1778493632-5050-1-0000 (marathon) at
[email protected]:9090: Not
authorized to use role 'apps'
<marathon log>
I0308 14:56:51.990717 47 authenticatee.hpp:133] Creating new client SASL
connection
I0308 14:56:51.992751 48 authenticatee.hpp:224] Received SASL
authentication mechanisms: CRAM-MD5
I0308 14:56:51.992869 48 authenticatee.hpp:250] Attempting to
authenticate with mechanism 'CRAM-MD5'
I0308 14:56:51.994890 51 authenticatee.hpp:270] Received SASL
authentication step
I0308 14:56:51.995720 49 authenticatee.hpp:310] Authentication success
I0308 14:56:51.995867 49 sched.cpp:358] Successfully authenticated with
master [email protected]:5050
I0308 14:56:51.997730 50 sched.cpp:736] Got error 'Not authorized to use
role 'apps''
I0308 14:56:51.997869 50 sched.cpp:1320] Asked to abort the driver
[2015-03-08 14:56:51,998] WARN Error: Not authorized to use role 'apps'
(mesosphere.marathon.MarathonScheduler:258)
Authorization is not working at all if I have permissive=false defined.
Just to summarize other things I have tried, 1) removing the permissive tag
make the framework registration to go through, 2) removing the principals
type NONE results in the same error. What am I missing here??
Thanks,
./Siva.
On Fri, Mar 6, 2015 at 10:44 PM, Sivaram Kannan <[email protected]> wrote:
>
> Awesome. Thanks Vinod. Let me try that.
>
> On Fri, Mar 6, 2015 at 10:08 PM, Vinod Kone <[email protected]> wrote:
>
>> Quoting form the documentation
>> <http://mesos.apache.org/documentation/latest/authorization/>:
>>
>> "
>>
>> There are couple of important things to note:
>>
>> 1.
>>
>> ACLs are matched in the order that they are setup. In other words,
>> the first matching ACL determines whether a request is authorized or not.
>> 2.
>>
>> If none of the specified ACLs match the given request, whether the
>> request is authorized or not is defined by ACLs.permissive field. By
>> default this is “true” i.e., a non-matching request is authorized.
>>
>>
>> "
>>
>> So in your case, since the user doesn't match "user1" and "permissive" is
>> not set (default), the request is authorized.
>>
>> If you only want your framework to run tasks as "user1", add
>> '"permissive" = false' to your ACLs JSON.
>>
>> HTH,
>>
>>
>> On Fri, Mar 6, 2015 at 2:32 AM, Sivaram Kannan <[email protected]>
>> wrote:
>>
>>>
>>> Just to make it more clear, I want to understand in which scenario would
>>> the task authorization will fail and framework gets a TASK_LOST error. I
>>> would greatly appreciate If you could give an example what I should change
>>> in the acl.json and the master or slave to get the TASK_LOST errror.
>>>
>>> Version of Mesos: 0.21.1 and marathon v0.7.7-SNAPSHOT. All of them are
>>> being run as docker containers.
>>>
>>> Thanks,
>>> ./Siva.
>>>
>>> On Fri, Mar 6, 2015 at 2:36 PM, Sivaram Kannan <[email protected]>
>>> wrote:
>>>
>>>>
>>>> Guess I don't understand then. Let me give some tests I ran for
>>>> understanding ACL, but am not clear which unix users is this. Assume I have
>>>> two nodes.
>>>>
>>>> Node1 - runs Mesos-master and marathon
>>>> Node2 - runs mesos-slave
>>>>
>>>> Both the above nodes have an users named devel and root.
>>>>
>>>> Test1: I started the mesos-master with the following acl.json
>>>>
>>>> "run_tasks": [
>>>> {
>>>> "principals": {
>>>> "values": [
>>>> "marathon"
>>>> ]
>>>> },
>>>> "users": {
>>>> "values": [
>>>> "root",
>>>> "devel"
>>>> ]
>>>> }
>>>> },
>>>> {
>>>> "principals": {
>>>> "values": [
>>>> "marathon"
>>>> ]
>>>> },
>>>> "users": {
>>>> "type": "NONE"
>>>> }
>>>> }
>>>> ]
>>>>
>>>> I was able to launch the tasks from the marathon. Now I modified the
>>>> acl.json as follow and relaunched the mesos-master. In this I wanted to
>>>> make the task fail and see the error
>>>>
>>>> "principals": {
>>>> "values": [
>>>> "marathon"
>>>> ]
>>>> },
>>>> "users": {
>>>> "values": [
>>>> "user1"
>>>> ]
>>>> }
>>>>
>>>>
>>>> Even now I am able to launch the tasks from the marathon instance. So,
>>>> can you please tell me which nodes unix user does values under "users" tag
>>>> refers to? Am I making anything wrong in the way I am using run_tasks??
>>>>
>>>> Thanks,
>>>> ./Siva
>>>>
>>>> On Thu, Mar 5, 2015 at 11:35 PM, Vinod Kone <[email protected]>
>>>> wrote:
>>>>
>>>>> I'm not very familiar with Marathon, but the 'user' in the 'run_tasks'
>>>>> ACL is the unix user that the executor/run process runs as. This user is
>>>>> set by frameworks by setting 'CommandInfo.user'.
>>>>>
>>>>> On Thu, Mar 5, 2015 at 9:06 AM, Sivaram Kannan <[email protected]>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> The user that is defined as part of Mesos's Authorization ACL, which
>>>>>> user is it? Taking marathon framework as example, the users defined as
>>>>>> part
>>>>>> of run_tasks principal, is it the user that is used to run marathon
>>>>>> executable or the unix user available in the mesos-slave's?
>>>>>>
>>>>>> Documentation in
>>>>>> http://mesos.apache.org/documentation/latest/authorization/ does not
>>>>>> seems to be clear on that. Can someone clarify?
>>>>>>
>>>>>> Thanks,
>>>>>> ./Siva.
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> ever tried. ever failed. no matter.
>>>> try again. fail again. fail better.
>>>> -- Samuel Beckett
>>>>
>>>
>>>
>>>
>>> --
>>> ever tried. ever failed. no matter.
>>> try again. fail again. fail better.
>>> -- Samuel Beckett
>>>
>>
>>
>
>
> --
> ever tried. ever failed. no matter.
> try again. fail again. fail better.
> -- Samuel Beckett
>
--
ever tried. ever failed. no matter.
try again. fail again. fail better.
-- Samuel Beckett
