User service permissions

ENTERPRISE

PREVIEW

This topic details the permissions enforced by the Marathon and Metronome services, which control access to user services and jobs. These permissions are only enforced in permissive and strict security modes.

About the user service permissions

User service permissions allow you to achieve fine-grained control of services and jobs in strict and permissive security modes. They are ignored in disabled mode.

Marathon permissions reference

Marathon permissions affect a user’s ability to access services from the DC/OS web interface, the CLI, and the Marathon API.

Resource Action
dcos:service:marathon:marathon:services:/[service-group] create read update delete full
Controls access to services launched by the native Marathon instance. Provide the name of the service group, prepended with a forward slash. If it is nested inside of one or more service groups, also provide the parent group or groups, e.g., /group1/group2. You can omit the name of the service group to give the user access to any service group. Examples:
dcos:service:marathon:marathon:services:/ can access services inside of any service group as well as services not inside of a service group.
dcos:service:marathon:marathon:services:/parent/child can access services inside of the /parent/child group and any groups inside of this group. Cannot access services inside of the /parent service group.

See Controlling user access to services for more details on working with service groups.
Resource Action
dcos:service:marathon:marathon:admin:config read
Protects the GET /v2/info Marathon endpoint. Refer to the Marathon documentation for more information about this endpoint.
Resource Action
dcos:service:marathon:marathon:admin:leader read update full
Protects the GET/DELETE /v2/leader Marathon endpoint. Refer to the Marathon documentation for more information about this endpoint. Tip: The full action gives a user or group of users all of the possible actions.
Resource Action
dcos:service:marathon:marathon:admin:events read
Users with this permission can view the Marathon events that are available from the following endpoints:
GET v2/events (event stream)
GET/POST/DELETE /v2/eventSubscriptions

Metronome permissions reference

Marathon permissions affect a user’s ability to access jobs from the DC/OS web interface, the CLI, and the Marathon API.

Resource Action
dcos:service:metronome:metronome:jobs[:job_group] full create read update delete
Protects access to jobs. Provide the path to the job. To denote a hierarchy in the path, use a period as a separator. You can omit the name of the job group to give the user access to any job group. Examples:
dcos:service:metronome:metronome:jobs can access jobs inside of any job group.
dcos:service:metronome:metronome:jobs:parent.child can access services inside of the parent.child job group and any groups inside of this group. Cannot access jobs inside of the parent job group.
See Controlling user access to jobs for more details on working with job groups.
Tip: The full action gives a user or group of users all of the possible actions.