Granting Access to the Marathon UI

ENTERPRISE

Granting access to the Marathon UI

You can grant users access to the Marathon UI. By default, new users have no permissions.

Granting Access using the web interface

Prerequisite:

  • A DC/OS user account without the dcos:superuser permission.
  1. Log into the DC/OS web interface as a user with the dcos:superuser permission.

    Login

    Figure 1. DC/OS web interface login

  2. Select Organization and choose Users or Groups.

  3. Select the name of the user or group to grant the permission to.

    Add permission cory

    Figure 2. Select user or group to grant permissions to

  1. From the Permissions tab, click ADD PERMISSION.

  2. Click INSERT PERMISSION STRING to toggle the dialog.

    Add permission

    Figure 3. Insert Permission String

  3. Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode and click ADD PERMISSIONS and then Close.

Disabled

All Marathon permissions

```bash
dcos:adminrouter:service:marathon full
```

Permissive

Marathon dashboard

```bash
dcos:adminrouter:service:marathon full
```

Launch tasks

```bash
dcos:service:marathon:marathon:services:/ full
```

Task details and logs

To view task details and logs, you must grant access to the [Mesos UI](/1.11/security/ent/gui-permissions/mesos-ui/).   

Strict

Marathon dashboard

```bash
dcos:adminrouter:service:marathon full
```

Launch tasks

```bash
dcos:service:marathon:marathon:services:/ full
```

Task details and logs

To view Marathon task details and logs, you must grant access to the [Mesos UI](/1.11/security/ent/gui-permissions/mesos-ui/).
  1. You can send the URL of the native Marathon UI for DC/OS to the user: http://<master-public-ip>/marathon/.

Granting Access using the API

Prerequisites:

Note:

  • Service resources often include / characters that must be replaced with %252F in curl requests, as shown in the examples below.
  • When using the API to manage permissions, you must create the permission before granting it. If the permission already exists, the API will return an informative message and you can continue to assign the permission.

Disabled

Marathon dashboard and launch tasks

  1. Create the permission.
curl -X PUT \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon \
-d '{"description":"Grants access to the Marathon UI"}'
  1. Grant the following privileges to the user uid.
curl -X PUT \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon/users/<uid>/full

Note: To grant this permission to a group instead of a user, replace /users/<uid> with /groups/<gid>.

Permissive

Marathon dashboard

  1. Create the permission.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon \
-d '{"description":"Grants access to the Marathon UI"}'
  1. Grant the following privileges to the user uid.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon/users/<uid>/full

Note: To grant this permission to a group instead of a user, replace /users/<uid> with /groups/<gid>.

Launch tasks

  1. Create the permission.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F \
-d '{"description":"Grants access to launch Marathon task from UI"}'
  1. Grant the following privileges to the user uid.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F/full

Note: To grant this permission to a group instead of a user, replace /users/<uid> with /groups/<gid>.

Task details and logs

To view task details and logs, you must grant access to the Mesos UI.

Strict

Marathon dashboard

  1. Create the permission.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon \
-d '{"description":"Grants access to the Marathon UI"}'
  1. Grant the following privileges to the user uid.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:adminrouter:service:marathon/users/<uid>/full

Note: To grant this permission to a group instead of a user, replace /users/<uid> with /groups/<gid>.

Launch tasks

  1. Create the permission.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
-H 'Content-Type: application/json' $(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F \
-d '{"description":"Grants access to launch Marathon task from UI"}'
  1. Grant the following privileges to the user uid.
curl -X PUT --cacert dcos-ca.crt \
-H "Authorization: token=$(dcos config show core.dcos_acs_token)" \
$(dcos config show core.dcos_url)/acs/api/v1/acls/dcos:service:marathon:marathon:services:%252F/full

Tip: To grant this permission to a group instead of a user, replace /users/<uid> with /groups/<gid>.

Task details and logs

To view task details and logs, you must grant access to the Mesos UI.

You can now send the URL of the native Marathon UI for DC/OS to the user: http://<master-public-ip>/marathon/.