Hi, I am trying to setup mesos framework authentication. I created the necessary config files and now mesos starts up with the --authenticate="true" flag :
I1006 20:11:52.940199 7866 master.cpp:380] Flags at startup: --allocation_interval="1secs" --allocator="HierarchicalDRF" --authenticate="true" --authenticate_slaves="true" --authenticators="crammd5" --authorizers="local" --cluster="cluster1" --credentials="/etc/mesos-master-credentials" --framework_sorter="drf" --help="false" --initialize_driver_logging="true" --log_auto_initialize="true" --log_dir="/var/log/mesos" --logbufsecs="0" --logging_level="INFO" --max_slave_ping_timeouts="5" --port="5050" --quiet="false" --quorum="1" --recovery_slave_removal_limit="100%" --registry="replicated_log" --registry_fetch_timeout="1mins" --registry_store_timeout="5secs" --registry_strict="false" --root_submissions="true" --slave_ping_timeout="15secs" --slave_reregister_timeout="10mins" --user_sorter="drf" --version="false" --webui_dir="/usr/share/mesos/webui" --work_dir="/var/lib/mesos" --zk="zk://localhost:2181/mesos" --zk_session_timeout="10secs" The file /etc/mesos-master-credentials contains 2 lines, one for slaves (slave-authentication already works fine), and one line contains the user and password of marathon: root@mm2:/var/log/mesos# cat /etc/mesos-master-credentials marathon-user marathon-passw0rd slave-user slave-passw0rd Then I startup marathon and see it has the flags --mesos_authentication_secret_file and --mesos_authentication_principal : root@mm2:/var/log/mesos# service marathon start Starting marathon: run_jar --mesos_authentication_secret_file /etc/marathon/mesos_authentication_secret --http_credentials admini:adm1n1 --mesos_authentication_principal marathon-user --ssl_keystore_password notsecret --ssl_keystore_path /etc/marathon/marathon-keystore.jks --mesos_user taskuser --zk zk://localhost:2181/marathon --master zk://localhost:2181/mesos The mesos_authentication_secret_file contains the proper password (not trailing LF or CR): root@mm2:/var/log/mesos# cat /etc/marathon/mesos_authentication_secret marathon-passw0rd But authentication fails : The mesos log shows: I1006 20:14:55.146001 7886 master.cpp:4694] Authenticating [email protected]:39104 I1006 20:14:55.146437 7886 authenticator.cpp:92] Creating new server SASL connection I1006 20:14:55.148047 7884 authenticator.cpp:197] Received SASL authentication start I1006 20:14:55.148223 7884 authenticator.cpp:319] Authentication requires more steps I1006 20:14:55.149839 7883 authenticator.cpp:225] Received SASL authentication step W1006 20:14:55.150003 7883 authenticator.cpp:325] Authentication failure: authentication failure W1006 20:14:55.150168 7883 master.cpp:4721] Failed to authenticate [email protected]:39104: Refused authentication The marathon log shows : Oct 6 18:14:55 mm2 marathon[8071]: I1006 18:14:55.137357 8146 sched.cpp:318] Authenticating with master [email protected]:5050 Oct 6 18:14:55 mm2 marathon[8071]: I1006 18:14:55.137375 8146 sched.cpp:325] Using default CRAM-MD5 authenticatee Oct 6 18:14:55 mm2 marathon[8071]: I1006 18:14:55.137688 8146 authenticatee.cpp:91] Initializing client SASL Oct 6 18:14:55 mm2 marathon[8071]: I1006 18:14:55.145184 8146 authenticatee.cpp:115] Creating new client SASL connection Oct 6 18:14:55 mm2 marathon[8071]: I1006 18:14:55.147569 8143 authenticatee.cpp:206] Received SASL authentication mechanisms: CRAM-MD5 Oct 6 18:14:55 mm2 marathon[8071]: I1006 18:14:55.147620 8143 authenticatee.cpp:232] Attempting to authenticate with mechanism 'CRAM-MD5' Oct 6 18:14:55 mm2 marathon[8071]: I1006 18:14:55.148651 8143 authenticatee.cpp:252] Received SASL authentication step Oct 6 18:14:55 mm2 marathon[8071]: E1006 18:14:55.150774 8143 sched.cpp:401] Master [email protected]:5050 refused authentication Oct 6 18:14:55 mm2 marathon[8071]: I1006 18:14:55.150810 8143 sched.cpp:1016] Got error 'Master refused authentication' Oct 6 18:14:55 mm2 marathon[8071]: I1006 18:14:55.150822 8143 sched.cpp:1782] Asked to abort the driver Oct 6 18:14:55 mm2 marathon[8071]: [INFO] [10/06/2015 18:14:55.153] [marathon-akka.actor.default-dispatcher-2] [akka://marathon/user/MarathonScheduler/$a] Scheduler actor ready Oct 6 18:14:55 mm2 marathon[8071]: [2015-10-06 18:14:55,155] WARN Error: Master refused authentication (mesosphere.marathon.MarathonScheduler$$EnhancerByGuice$$456204a5:113) Oct 6 18:14:55 mm2 marathon[8071]: [2015-10-06 18:14:55,156] FATAL Committing suicide! (mesosphere.marathon.MarathonScheduler$$EnhancerByGuice$$456204a5:134) Oct 6 18:14:55 mm2 marathon[8071]: I1006 18:14:55.299145 8143 sched.cpp:1062] Aborting framework '' My environment: * Ubuntu 14.04.03 LTS * Oracle Java 1.8.0_60-b27 * Mesos 0.24.1 * Marathon 0.11.0 Am I missing something here? What can be the reason for this failure? How can I further debug this issue ? kind regards, Harry
