First, note that "permissive" flag applies to all ACLs (register_frameworks and run_tasks in your case), irrespective of where in the JSON it is defined.
Without the premissive =false tag, the framework gets registered and any > role other than apps or dev-ops gets rejected by mesos-master. But when I > have the permissive=false set for run_tasks, I get the following error when > start the marathon > > Does framework get rejected for *any* role (with permissive as "true")? >From the ACLs, it looks like "marathon" role would be rejected. Any other role should be accepted. Can you show me an example? Authorization is not working at all if I have permissive=false defined. > Just to summarize other things I have tried, 1) removing the permissive tag > make the framework registration to go through, 2) removing the principals > type NONE results in the same error. What am I missing here?? > >From the log, it looks like you were trying principal as "devel" and role as "apps", which I would expect to be rejected based on your ACLs (none of the ACLs match and permissive is "false"). What do you mean by authorization is not working at all? Have you tried principal as "marathon" and roles as "apps"? That should work.
