Thanks Greg. Will try them out tomorrow and post how it goes here. On Wed, Sep 7, 2016 at 8:59 PM, Greg Mann <[email protected]> wrote:
> Haripriya, > In order for users to be authorized correctly for those actions, HTTP > authentication should be enabled on both the master and agent using the > '--authenticate_http_readonly' and '--authenticate_http_readwrite' flags. > Authentication is the only way for users of the Mesos web UI to identify > themselves, and it simply relies on the built-in browser authentication > facilities. > > I would recommend giving those flags a try. Also, note that when you set > those flags, you'll need to specify credentials using '--credentials' on > the master and '--http_credentials' on the agent. You can find more > information in the authentication docs: http://mesos.apache.org/ > documentation/latest/authentication/ > > Cheers, > Greg > > > On Wed, Sep 7, 2016 at 5:06 PM, Haripriya Ayyalasomayajula < > [email protected]> wrote: > >> Hi Greg, >> >> Yes, this configuration works for me now. However, my next question is >> related to multi-tenancy. >> >> If I turn off the settings for view_tasks from ANY and restrict to a >> specific user, from the UI, how can I as user A see only my tasks? >> I'm using the local authorizer - default that comes with open source >> mesos 1.0. >> To configure view_tasks, view_executors, access_sandboxes, do we need >> additional authentication added to the exisiting mesos UI? >> >> From the UI how does it recognize User A to be User A? Are there any >> assumptions that I'm missing? What is the required infrastructure for multi >> tenancy here? >> >> On Wed, Sep 7, 2016 at 1:48 PM, Greg Mann <[email protected]> wrote: >> >>> Hi Haripriya, >>> I just ran a quick test using your ACLs (I added a permissive ACL for >>> "run_tasks" as well), and I was able to view everything in the web UI. I >>> did this test with the current HEAD of Mesos master, however, so it's >>> possible that something has changed since 1.0. >>> >>> One thing that can be very helpful is to look in the developer tools tab >>> of your browser to see what return codes and error messages are being >>> produced by the failed HTTP requests to the web UI. If you can provide some >>> of that information here, perhaps it will help us troubleshoot your >>> situation. >>> >>> Also, what is your authentication configuration? Are you setting any of >>> the authentication-related flags? >>> >>> Cheers, >>> Greg >>> >>> >>> On Wed, Sep 7, 2016 at 11:35 AM, Haripriya Ayyalasomayajula < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> Sorry, I should have been clear. I was referring to examples related to >>>> how to use them. there are examples for view_tasks but not for others. >>>> >>>> On Wed, Aug 31, 2016 at 7:44 PM, haosdent <[email protected]> wrote: >>>> >>>>> Hi, @haripriya I saw we already have "view_executors" in the document ( >>>>> https://github.com/apache/mesos/blob/master/docs/authorizat >>>>> ion.md#authorizable-actions) ? >>>>> >>>>> On Thu, Sep 1, 2016 at 4:41 AM, Haripriya Ayyalasomayajula < >>>>> [email protected]> wrote: >>>>> >>>>>> Well, I had to turn on auth for run_tasks, I had different set of >>>>>> configuration there. >>>>>> I had some syntax issue with the above mentioned configurations in my >>>>>> original file, fixed them and it works file. >>>>>> Is there a way the flags view_executors etc can be added to the >>>>>> existing documentation? >>>>>> >>>>>> On Wed, Aug 31, 2016 at 1:26 AM, haosdent <[email protected]> wrote: >>>>>> >>>>>>> Because your types are ANY, have you consider disable auth via don't >>>>>>> specify `--acl` flag when you launch Mesos master? >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Aug 31, 2016 at 3:00 AM, Haripriya Ayyalasomayajula < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> I've upgraded my mesos cluster to 1.0. >>>>>>>> I have spark and Marathon registered as frameworks and have no >>>>>>>> problem running jobs. >>>>>>>> I am unable to see any frameworks nor any tasks on the web UI. >>>>>>>> >>>>>>>> I found out that the following fields have been added to acls. >>>>>>>> view_frameworks, view_tasks, view_executors, access_sandboxes, >>>>>>>> access_mesos_logs >>>>>>>> and there are no examples related to these in: >>>>>>>> http://mesos.apache.org/documentation/latest/authorization/ >>>>>>>> Can someone help me understand where I'm going wrong? >>>>>>>> >>>>>>>> Looking at the JIRA https://issues.apache.org >>>>>>>> /jira/browse/MESOS-5746 >>>>>>>> I tried to come up with this json configuration, but that doesn't >>>>>>>> seem to work either. >>>>>>>> Here is my mesos_acls.json file: >>>>>>>> >>>>>>>> "get_endpoints": [ { >>>>>>>> >>>>>>>> "principals": { "type": "ANY" }, >>>>>>>> >>>>>>>> "paths": { "type": "ANY" } } >>>>>>>> >>>>>>>> ], >>>>>>>> >>>>>>>> >>>>>>>> "view_frameworks": [ { >>>>>>>> >>>>>>>> "principals": { "type": "ANY" }, >>>>>>>> >>>>>>>> "users": { "type": "ANY" } } >>>>>>>> >>>>>>>> ], >>>>>>>> >>>>>>>> >>>>>>>> "view_tasks": [ { >>>>>>>> >>>>>>>> "principals": { "type": "ANY" }, >>>>>>>> >>>>>>>> "users": { "type": "ANY" } } >>>>>>>> >>>>>>>> ], >>>>>>>> >>>>>>>> "view_executors": [ { >>>>>>>> >>>>>>>> "principals": { "type": "ANY" }, >>>>>>>> >>>>>>>> "users": { "type": "ANY" } } >>>>>>>> >>>>>>>> ], >>>>>>>> >>>>>>>> "access_sandboxes": [ { >>>>>>>> >>>>>>>> "principals": { "type": "ANY" }, >>>>>>>> >>>>>>>> "users": { "type": "ANY" } } >>>>>>>> >>>>>>>> ], >>>>>>>> >>>>>>>> "access_mesos_logs": [ { >>>>>>>> >>>>>>>> "principals": { "type": "ANY" }, >>>>>>>> >>>>>>>> "logs": { "type": "ANY" } } >>>>>>>> >>>>>>>> ], >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Regards, >>>>>>>> Haripriya Ayyalasomayajula >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Best Regards, >>>>>>> Haosdent Huang >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Regards, >>>>>> Haripriya Ayyalasomayajula >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Best Regards, >>>>> Haosdent Huang >>>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> Haripriya Ayyalasomayajula >>>> >>>> >>> >> >> >> -- >> Regards, >> Haripriya Ayyalasomayajula >> >> > -- Regards, Haripriya Ayyalasomayajula
