Haripriya, In order for users to be authorized correctly for those actions, HTTP authentication should be enabled on both the master and agent using the '--authenticate_http_readonly' and '--authenticate_http_readwrite' flags. Authentication is the only way for users of the Mesos web UI to identify themselves, and it simply relies on the built-in browser authentication facilities.
I would recommend giving those flags a try. Also, note that when you set those flags, you'll need to specify credentials using '--credentials' on the master and '--http_credentials' on the agent. You can find more information in the authentication docs: http://mesos.apache.org/documentation/latest/authentication/ Cheers, Greg On Wed, Sep 7, 2016 at 5:06 PM, Haripriya Ayyalasomayajula < [email protected]> wrote: > Hi Greg, > > Yes, this configuration works for me now. However, my next question is > related to multi-tenancy. > > If I turn off the settings for view_tasks from ANY and restrict to a > specific user, from the UI, how can I as user A see only my tasks? > I'm using the local authorizer - default that comes with open source mesos > 1.0. > To configure view_tasks, view_executors, access_sandboxes, do we need > additional authentication added to the exisiting mesos UI? > > From the UI how does it recognize User A to be User A? Are there any > assumptions that I'm missing? What is the required infrastructure for multi > tenancy here? > > On Wed, Sep 7, 2016 at 1:48 PM, Greg Mann <[email protected]> wrote: > >> Hi Haripriya, >> I just ran a quick test using your ACLs (I added a permissive ACL for >> "run_tasks" as well), and I was able to view everything in the web UI. I >> did this test with the current HEAD of Mesos master, however, so it's >> possible that something has changed since 1.0. >> >> One thing that can be very helpful is to look in the developer tools tab >> of your browser to see what return codes and error messages are being >> produced by the failed HTTP requests to the web UI. If you can provide some >> of that information here, perhaps it will help us troubleshoot your >> situation. >> >> Also, what is your authentication configuration? Are you setting any of >> the authentication-related flags? >> >> Cheers, >> Greg >> >> >> On Wed, Sep 7, 2016 at 11:35 AM, Haripriya Ayyalasomayajula < >> [email protected]> wrote: >> >>> Hi, >>> >>> Sorry, I should have been clear. I was referring to examples related to >>> how to use them. there are examples for view_tasks but not for others. >>> >>> On Wed, Aug 31, 2016 at 7:44 PM, haosdent <[email protected]> wrote: >>> >>>> Hi, @haripriya I saw we already have "view_executors" in the document ( >>>> https://github.com/apache/mesos/blob/master/docs/authorizat >>>> ion.md#authorizable-actions) ? >>>> >>>> On Thu, Sep 1, 2016 at 4:41 AM, Haripriya Ayyalasomayajula < >>>> [email protected]> wrote: >>>> >>>>> Well, I had to turn on auth for run_tasks, I had different set of >>>>> configuration there. >>>>> I had some syntax issue with the above mentioned configurations in my >>>>> original file, fixed them and it works file. >>>>> Is there a way the flags view_executors etc can be added to the >>>>> existing documentation? >>>>> >>>>> On Wed, Aug 31, 2016 at 1:26 AM, haosdent <[email protected]> wrote: >>>>> >>>>>> Because your types are ANY, have you consider disable auth via don't >>>>>> specify `--acl` flag when you launch Mesos master? >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Aug 31, 2016 at 3:00 AM, Haripriya Ayyalasomayajula < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi all, >>>>>>> >>>>>>> I've upgraded my mesos cluster to 1.0. >>>>>>> I have spark and Marathon registered as frameworks and have no >>>>>>> problem running jobs. >>>>>>> I am unable to see any frameworks nor any tasks on the web UI. >>>>>>> >>>>>>> I found out that the following fields have been added to acls. >>>>>>> view_frameworks, view_tasks, view_executors, access_sandboxes, >>>>>>> access_mesos_logs >>>>>>> and there are no examples related to these in: >>>>>>> http://mesos.apache.org/documentation/latest/authorization/ >>>>>>> Can someone help me understand where I'm going wrong? >>>>>>> >>>>>>> Looking at the JIRA https://issues.apache.org/jira/browse/MESOS-5746 >>>>>>> I tried to come up with this json configuration, but that doesn't >>>>>>> seem to work either. >>>>>>> Here is my mesos_acls.json file: >>>>>>> >>>>>>> "get_endpoints": [ { >>>>>>> >>>>>>> "principals": { "type": "ANY" }, >>>>>>> >>>>>>> "paths": { "type": "ANY" } } >>>>>>> >>>>>>> ], >>>>>>> >>>>>>> >>>>>>> "view_frameworks": [ { >>>>>>> >>>>>>> "principals": { "type": "ANY" }, >>>>>>> >>>>>>> "users": { "type": "ANY" } } >>>>>>> >>>>>>> ], >>>>>>> >>>>>>> >>>>>>> "view_tasks": [ { >>>>>>> >>>>>>> "principals": { "type": "ANY" }, >>>>>>> >>>>>>> "users": { "type": "ANY" } } >>>>>>> >>>>>>> ], >>>>>>> >>>>>>> "view_executors": [ { >>>>>>> >>>>>>> "principals": { "type": "ANY" }, >>>>>>> >>>>>>> "users": { "type": "ANY" } } >>>>>>> >>>>>>> ], >>>>>>> >>>>>>> "access_sandboxes": [ { >>>>>>> >>>>>>> "principals": { "type": "ANY" }, >>>>>>> >>>>>>> "users": { "type": "ANY" } } >>>>>>> >>>>>>> ], >>>>>>> >>>>>>> "access_mesos_logs": [ { >>>>>>> >>>>>>> "principals": { "type": "ANY" }, >>>>>>> >>>>>>> "logs": { "type": "ANY" } } >>>>>>> >>>>>>> ], >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> Haripriya Ayyalasomayajula >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Best Regards, >>>>>> Haosdent Huang >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Regards, >>>>> Haripriya Ayyalasomayajula >>>>> >>>>> >>>> >>>> >>>> -- >>>> Best Regards, >>>> Haosdent Huang >>>> >>> >>> >>> >>> -- >>> Regards, >>> Haripriya Ayyalasomayajula >>> >>> >> > > > -- > Regards, > Haripriya Ayyalasomayajula > >
