Hi, There was a mistake in the acl.json i sent earlier. But even after correcting it I am getting the same error. Let me explain. The intention for defining the acl.json is to have a
1. Only principals marathon with roles apps,dev-ops should be able to register framework with mesos 2. Only principal marathon with users root,devel should be able to run_tasks. 3. I am also using --credentials flag to authenticate users with the same name devel. Sorry it was not clear earlier since both user used in run_tasks and authencation principal are same. Now to make it clear I have made the authentication principal as user1. The below json was written. I looked at the examples at http://mesos.apache.org/documentation/latest/authorization/ to write this. "register_frameworks": [ { "principals": { "values": [ "marathon" ] }, "roles": { "values": [ "apps", "dev-ops" ] } }, { "principals": { "type": "NONE" }, "roles": { "values": [ "apps", "dev-ops" ] } } ], "permissive": false, "run_tasks": [ { "principals": { "values": [ "marathon" ] }, "users": { "values": [ "root", "montana" ] } }, { "principals": { "values": [ "marathon" ] }, "users": { "type": "NONE" } } ] Mesos-Master log I0308 17:41:14.862144 12 authenticator.hpp:166] Creating new server SASL connection I0308 17:41:14.863014 8 authenticator.hpp:272] Received SASL authentication start I0308 17:41:14.864115 8 authenticator.hpp:394] Authentication requires more steps I0308 17:41:14.864646 7 authenticator.hpp:300] Received SASL authentication step I0308 17:41:14.864787 7 authenticator.hpp:386] Authentication success I0308 17:41:14.865087 7 master.cpp:3959] Successfully authenticated principal 'user1' at [email protected]:9090 I0308 17:41:14.876425 6 master.cpp:1383] Received registration request for framework 'marathon' at [email protected]:9090 I0308 17:41:14.876610 6 master.cpp:1342] Authorizing framework principal 'user1' to receive offers for role 'apps' I0308 17:41:14.876829 6 master.cpp:1402] Refusing registration of framework 'marathon' at [email protected]:9090: Not authorized to use role 'apps' Marathon log: I0308 17:41:14.860546 43 authenticatee.hpp:133] Creating new client SASL connection I0308 17:41:14.862584 42 authenticatee.hpp:224] Received SASL authentication mechanisms: CRAM-MD5 I0308 17:41:14.862704 42 authenticatee.hpp:250] Attempting to authenticate with mechanism 'CRAM-MD5' I0308 17:41:14.864399 39 authenticatee.hpp:270] Received SASL authentication step I0308 17:41:14.875982 45 authenticatee.hpp:310] Authentication success I0308 17:41:14.876098 45 sched.cpp:358] Successfully authenticated with master [email protected]:5050 I0308 17:41:14.877272 46 sched.cpp:736] Got error 'Not authorized to use role 'apps'' I0308 17:41:14.878365 46 sched.cpp:1320] Asked to abort the driver [2015-03-08 17:41:14,878] WARN Error: Not authorized to use role 'apps' (mesosphere.marathon.MarathonScheduler:258) [2015-03-08 17:41:14,880] FATAL Committing suicide (mesosphere.marathon.MarathonScheduler:263) I0308 17:41:14.880939 46 sched.cpp:777] Aborting framework '' Thanks, ./Siva. On Sun, Mar 8, 2015 at 10:28 PM, Vinod Kone <[email protected]> wrote: > First, note that "permissive" flag applies to all ACLs > (register_frameworks and run_tasks in your case), irrespective of where in > the JSON it is defined. > > Without the premissive =false tag, the framework gets registered and any >> role other than apps or dev-ops gets rejected by mesos-master. But when I >> have the permissive=false set for run_tasks, I get the following error when >> start the marathon >> >> > Does framework get rejected for *any* role (with permissive as "true")? > From the ACLs, it looks like "marathon" role would be rejected. Any other > role should be accepted. Can you show me an example? > > Authorization is not working at all if I have permissive=false defined. >> Just to summarize other things I have tried, 1) removing the permissive tag >> make the framework registration to go through, 2) removing the principals >> type NONE results in the same error. What am I missing here?? >> > > From the log, it looks like you were trying principal as "devel" and role > as "apps", which I would expect to be rejected based on your ACLs (none of > the ACLs match and permissive is "false"). What do you mean by > authorization is not working at all? Have you tried principal as "marathon" > and roles as "apps"? That should work. > > > -- ever tried. ever failed. no matter. try again. fail again. fail better. -- Samuel Beckett
