Hi Greg,
Sorry for the delay, I was caught up in some work and could not get back to
this till today.
I tried adding the flag --authenticate_http_readwrite=true to my mesos
masters.
However, I'm not able to view my the Mesos web UI.
It gives me the following error: HTTP/1.0 503 Service Unavailable
I have a mesos cluster with 3 masters set up with haproxy configuration to
detect my current leader and display the UI. I basically set my acls file
to open it to all users. For get_endpoints I set it to ANY.
Here are my logs: Can you please suggest where I'm going wrong.
0923 17:40:50.504192 33009 logging.cpp:194] INFO level logging started!
I0923 17:40:50.504508 33009 main.cpp:370] Using 'HierarchicalDRF' allocator
I0923 17:40:50.602124 33009 leveldb.cpp:174] Opened db in 97.545305ms
I0923 17:40:50.665935 33009 leveldb.cpp:181] Compacted db in 63.785773ms
I0923 17:40:50.665963 33009 leveldb.cpp:196] Created db iterator in 5903ns
I0923 17:40:50.665987 33009 leveldb.cpp:202] Seeked to beginning of db in
4629ns
I0923 17:40:50.666026 33009 leveldb.cpp:271] Iterated through 3 keys in the
db in 33849ns
I0923 17:40:50.666052 33009 replica.cpp:779] Replica recovered with log
positions 2937 -> 2938 with 0 holes and 0 unlearned
I0923 17:40:50.666558 33081 log.cpp:107] Attempting to join replica to
ZooKeeper group
I0923 17:40:50.666743 33059 recover.cpp:451] Starting replica recovery
I0923 17:40:50.667067 33059 recover.cpp:477] Replica is in VOTING status
I0923 17:40:50.667122 33059 recover.cpp:466] Recover process terminated
I0923 17:40:50.667510 33009 main.cpp:484] Creating default 'local'
authorizer
I0923 17:40:50.667920 33009 main.cpp:543] Starting Mesos master
I0923 17:40:50.669163 33054 master.cpp:375] Master
651053e5-b2c3-4fa4-b901-0224ec50c788 (mesos1) started on x.y.z.a:5050
I0923 17:40:50.669181 33054 master.cpp:377] Flags at startup:
--acls="permissive: false
get_endpoints {
principals {
type: ANY
}
paths {
type: ANY
}
}
view_frameworks {
principals {
type: ANY
}
users {
type: ANY
}
}
view_tasks {
principals {
type: ANY
}
users {
type: ANY
}
}
view_executors {
principals {
type: ANY
}
users {
type: ANY
}
}
access_sandboxes {
principals {
type: ANY
}
users {
type: ANY
}
}
access_mesos_logs {
principals {
type: ANY
}
logs {
type: ANY
}
}
--agent_ping_timeout="15secs" --agent_reregister_timeout="10mins"
--allocation_interval="1secs" --allocator="HierarchicalDRF"
--authenticate_agents="false" --authenticate_frame
works="true" --authenticate_http_frameworks="false"
--authenticate_http_readonly="true" --authenticate_http_readwrite="false"
--authenticators="crammd5" --authorizers="local" --cluster="socrates"
--credentials="/etc/marathon-auth/credentials" --framework_sorter="drf"
--help="false" --hostname_lookup="true" --http_authenticators="basic"
--initialize_driver_logging="true" --log_auto_initialize="true"
--log_dir="/var/log/mesos" --logbufsecs="0" --logging_level="INFO"
--max_agent_ping_timeouts="5" --max_completed_frameworks="50"
--max_completed_tasks_per_framework="1000" --port="5050" --quiet="false"
--quorum="2" --recovery_agent_removal_limit="100%"
--registry="replicated_log" --registry_fetch_timeout="1mins"
--registry_store_timeout="20secs" --registry_strict="false"
--root_submissions="true" --user_sorter="drf" --version="false"
--webui_dir="/usr/share/mesos/webui" --work_dir="/var/lib/mesos"
--zk="zk://*zkpath*/mesos" --zk_session_timeout="10secs"
I0923 17:40:50.669401 33054 master.cpp:427] Master only allowing
authenticated frameworks to register
I0923 17:40:50.669409 33054 master.cpp:443] Master allowing unauthenticated
agents to register
I0923 17:40:50.669414 33054 master.cpp:457] Master allowing HTTP frameworks
to register without authentication
I0923 17:40:50.669420 33054 credentials.hpp:37] Loading credentials for
authentication from '/etc/marathon-auth/credentials'
I0923 17:40:50.669473 33054 master.cpp:499] Using default 'crammd5'
authenticator
I0923 17:40:50.669508 33054 authenticator.cpp:519] Initializing server SASL
I0923 17:40:50.669993 33054 http.cpp:883] Using default 'basic' HTTP
authenticator for realm 'mesos-master-readonly'
I0923 17:40:50.670049 33054 master.cpp:579] Authorization enabled
I0923 17:40:50.673053 33053 master.cpp:1785] Successfully attached file
'/var/log/mesos/mesos-master.INFO'
I0923 17:40:50.673130 33068 contender.cpp:152] Joining the ZK group
On Wed, Sep 7, 2016 at 8:59 PM, Greg Mann <[email protected]> wrote:
> Haripriya,
> In order for users to be authorized correctly for those actions, HTTP
> authentication should be enabled on both the master and agent using the
> '--authenticate_http_readonly' and '--authenticate_http_readwrite' flags.
> Authentication is the only way for users of the Mesos web UI to identify
> themselves, and it simply relies on the built-in browser authentication
> facilities.
>
> I would recommend giving those flags a try. Also, note that when you set
> those flags, you'll need to specify credentials using '--credentials' on
> the master and '--http_credentials' on the agent. You can find more
> information in the authentication docs: http://mesos.apache.org/
> documentation/latest/authentication/
>
> Cheers,
> Greg
>
>
> On Wed, Sep 7, 2016 at 5:06 PM, Haripriya Ayyalasomayajula <
> [email protected]> wrote:
>
>> Hi Greg,
>>
>> Yes, this configuration works for me now. However, my next question is
>> related to multi-tenancy.
>>
>> If I turn off the settings for view_tasks from ANY and restrict to a
>> specific user, from the UI, how can I as user A see only my tasks?
>> I'm using the local authorizer - default that comes with open source
>> mesos 1.0.
>> To configure view_tasks, view_executors, access_sandboxes, do we need
>> additional authentication added to the exisiting mesos UI?
>>
>> From the UI how does it recognize User A to be User A? Are there any
>> assumptions that I'm missing? What is the required infrastructure for multi
>> tenancy here?
>>
>> On Wed, Sep 7, 2016 at 1:48 PM, Greg Mann <[email protected]> wrote:
>>
>>> Hi Haripriya,
>>> I just ran a quick test using your ACLs (I added a permissive ACL for
>>> "run_tasks" as well), and I was able to view everything in the web UI. I
>>> did this test with the current HEAD of Mesos master, however, so it's
>>> possible that something has changed since 1.0.
>>>
>>> One thing that can be very helpful is to look in the developer tools tab
>>> of your browser to see what return codes and error messages are being
>>> produced by the failed HTTP requests to the web UI. If you can provide some
>>> of that information here, perhaps it will help us troubleshoot your
>>> situation.
>>>
>>> Also, what is your authentication configuration? Are you setting any of
>>> the authentication-related flags?
>>>
>>> Cheers,
>>> Greg
>>>
>>>
>>> On Wed, Sep 7, 2016 at 11:35 AM, Haripriya Ayyalasomayajula <
>>> [email protected]> wrote:
>>>
>>>> Hi,
>>>>
>>>> Sorry, I should have been clear. I was referring to examples related to
>>>> how to use them. there are examples for view_tasks but not for others.
>>>>
>>>> On Wed, Aug 31, 2016 at 7:44 PM, haosdent <[email protected]> wrote:
>>>>
>>>>> Hi, @haripriya I saw we already have "view_executors" in the document (
>>>>> https://github.com/apache/mesos/blob/master/docs/authorizat
>>>>> ion.md#authorizable-actions) ?
>>>>>
>>>>> On Thu, Sep 1, 2016 at 4:41 AM, Haripriya Ayyalasomayajula <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Well, I had to turn on auth for run_tasks, I had different set of
>>>>>> configuration there.
>>>>>> I had some syntax issue with the above mentioned configurations in my
>>>>>> original file, fixed them and it works file.
>>>>>> Is there a way the flags view_executors etc can be added to the
>>>>>> existing documentation?
>>>>>>
>>>>>> On Wed, Aug 31, 2016 at 1:26 AM, haosdent <[email protected]> wrote:
>>>>>>
>>>>>>> Because your types are ANY, have you consider disable auth via don't
>>>>>>> specify `--acl` flag when you launch Mesos master?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Wed, Aug 31, 2016 at 3:00 AM, Haripriya Ayyalasomayajula <
>>>>>>> [email protected]> wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> I've upgraded my mesos cluster to 1.0.
>>>>>>>> I have spark and Marathon registered as frameworks and have no
>>>>>>>> problem running jobs.
>>>>>>>> I am unable to see any frameworks nor any tasks on the web UI.
>>>>>>>>
>>>>>>>> I found out that the following fields have been added to acls.
>>>>>>>> view_frameworks, view_tasks, view_executors, access_sandboxes,
>>>>>>>> access_mesos_logs
>>>>>>>> and there are no examples related to these in:
>>>>>>>> http://mesos.apache.org/documentation/latest/authorization/
>>>>>>>> Can someone help me understand where I'm going wrong?
>>>>>>>>
>>>>>>>> Looking at the JIRA https://issues.apache.org
>>>>>>>> /jira/browse/MESOS-5746
>>>>>>>> I tried to come up with this json configuration, but that doesn't
>>>>>>>> seem to work either.
>>>>>>>> Here is my mesos_acls.json file:
>>>>>>>>
>>>>>>>> "get_endpoints": [ {
>>>>>>>>
>>>>>>>> "principals": { "type": "ANY" },
>>>>>>>>
>>>>>>>> "paths": { "type": "ANY" } }
>>>>>>>>
>>>>>>>> ],
>>>>>>>>
>>>>>>>>
>>>>>>>> "view_frameworks": [ {
>>>>>>>>
>>>>>>>> "principals": { "type": "ANY" },
>>>>>>>>
>>>>>>>> "users": { "type": "ANY" } }
>>>>>>>>
>>>>>>>> ],
>>>>>>>>
>>>>>>>>
>>>>>>>> "view_tasks": [ {
>>>>>>>>
>>>>>>>> "principals": { "type": "ANY" },
>>>>>>>>
>>>>>>>> "users": { "type": "ANY" } }
>>>>>>>>
>>>>>>>> ],
>>>>>>>>
>>>>>>>> "view_executors": [ {
>>>>>>>>
>>>>>>>> "principals": { "type": "ANY" },
>>>>>>>>
>>>>>>>> "users": { "type": "ANY" } }
>>>>>>>>
>>>>>>>> ],
>>>>>>>>
>>>>>>>> "access_sandboxes": [ {
>>>>>>>>
>>>>>>>> "principals": { "type": "ANY" },
>>>>>>>>
>>>>>>>> "users": { "type": "ANY" } }
>>>>>>>>
>>>>>>>> ],
>>>>>>>>
>>>>>>>> "access_mesos_logs": [ {
>>>>>>>>
>>>>>>>> "principals": { "type": "ANY" },
>>>>>>>>
>>>>>>>> "logs": { "type": "ANY" } }
>>>>>>>>
>>>>>>>> ],
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Regards,
>>>>>>>> Haripriya Ayyalasomayajula
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Best Regards,
>>>>>>> Haosdent Huang
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Haripriya Ayyalasomayajula
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Best Regards,
>>>>> Haosdent Huang
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Haripriya Ayyalasomayajula
>>>>
>>>>
>>>
>>
>>
>> --
>> Regards,
>> Haripriya Ayyalasomayajula
>>
>>
>
--
Regards,
Haripriya Ayyalasomayajula
