Accessing system and component logs

ENTERPRISE

BETA

Managing user access to system and component logs

You can restrict user access to system and component logs.

Here is the permission that is required to view the system and component logs:

Permission string full C R U D
dcos:adminrouter:ops:system-logs
Controls access to System logs API.
x

Prerequisites:

  • DC/OS and DC/OS CLI are installed and you are logged in as a superuser.

Via the DC/OS web interface

Create the users and grant permissions

  1. Select Organization and choose Users. Select an existing or create a new user.

    New user

    Figure 1. New user screen

  2. From the Permissions tab, select ADD PERMISSION.

    Add permission to user

    Figure 2. Add Permission button

  3. Click INSERT PERMISSION STRING to toggle the dialog and paste in the following permissions and click ADD PERMISSIONS.

    dcos:adminrouter:ops:system-logs full
    

    Add permission

    Figure 3. Permission string dialog

    The Permissions tab should now look like this:

    prod-group permissions complete

    Figure 4. Permissions have been added

Log in to the CLI as user

  1. Log in to the DC/OS CLI as the user.

    dcos auth login
    
  2. Run this command to access the system and component logs.

    dcos node log --leader --component=dcos-mesos-master
    

    You should see the logs from the Mesos master.

    If you do not have the correct permissions, you will see this output:

    You are not authorized to perform this operation
    

Via the IAM API

Prerequisite: If your security mode is permissive or strict, you must get the root cert before issuing the curl commands in this section.

Tips

  • Service resources often include / characters that must be replaced with %252F in curl requests, as shown in the examples below.
  • When using the API to manage permissions, you must create the permission before granting it. If the permission already exists, the API will return an informative message and you can continue to assign the permission.

Create and grant the permissions

  1. Grant the permission to the user (<username>).

    dcos security org users grant <username> dcos:adminrouter:ops:system-logs full --description "Grants access to system and component logs."
    

Log in to the CLI as user

  1. Log in to the DC/OS CLI as the user.

    dcos auth login
    
  2. Run this command to access the system and component logs.

    dcos node log --leader --component=dcos-mesos-master
    

    You should see the logs from the Mesos master.

    If you do not have the correct permissions, you will see this output:

    You are not authorized to perform this operation